From 20a1a946bc314e272f8f4f0c91c5415d5c446c19 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Fri, 7 Jan 2022 14:35:23 +1100 Subject: [PATCH 1/4] Fix compile errors from change in `impl_array_newtype` --- secp256k1-zkp-sys/src/zkp.rs | 12 ------------ src/zkp/generator.rs | 2 +- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/secp256k1-zkp-sys/src/zkp.rs b/secp256k1-zkp-sys/src/zkp.rs index ec9e4cd9..a674f048 100644 --- a/secp256k1-zkp-sys/src/zkp.rs +++ b/secp256k1-zkp-sys/src/zkp.rs @@ -490,12 +490,6 @@ impl Default for Tag { } } -impl hash::Hash for Tag { - fn hash(&self, state: &mut H) { - self.0.hash(state) - } -} - impl From<[u8; 32]> for Tag { fn from(bytes: [u8; 32]) -> Self { Tag(bytes) @@ -526,12 +520,6 @@ impl Default for PedersenCommitment { } } -impl hash::Hash for PedersenCommitment { - fn hash(&self, state: &mut H) { - state.write(&self.0) - } -} - /// A ring signature for the "whitelist" scheme. #[repr(C)] #[derive(Clone)] diff --git a/src/zkp/generator.rs b/src/zkp/generator.rs index c6f3ac29..af9e5ccf 100644 --- a/src/zkp/generator.rs +++ b/src/zkp/generator.rs @@ -8,7 +8,7 @@ use {constants, from_hex, Error, Secp256k1, Signing, Tag}; /// /// Contrary to a [`crate::SecretKey`], the value 0 is also a valid tweak. /// Values outside secp curve order are invalid tweaks. -#[derive(Default, Hash)] +#[derive(Default)] pub struct Tweak([u8; constants::SECRET_KEY_SIZE]); impl_array_newtype!(Tweak, u8, constants::SECRET_KEY_SIZE); From fae5f1cbcb7f24573867517fb641ad7dcd3ae897 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Fri, 7 Jan 2022 14:39:08 +1100 Subject: [PATCH 2/4] Remove explicit list of modules in favor of * We already re-export every module within `secp256k1` via `*`. There is no need to selectively re-export some of them as well. Remove the selected re-exports. --- src/lib.rs | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index b35668fb..722de326 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -63,17 +63,10 @@ extern crate wasm_bindgen_test; use core::{fmt, str}; -pub use secp256k1::constants; -pub use secp256k1::ecdh; -pub use secp256k1::key; -#[cfg(feature = "recovery")] -pub use secp256k1::recovery; -pub use secp256k1::schnorrsig; +pub use secp256k1::*; pub use key::{PublicKey, SecretKey}; -pub use secp256k1::*; - #[cfg(feature = "serde")] mod serde_util; mod zkp; From ce66406eae2656cd035d49e9df272ab1a8dd6ad4 Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Fri, 7 Jan 2022 14:42:29 +1100 Subject: [PATCH 3/4] Upgrade to secp256k1 0.21 Release 0.21 includes a module restructure which we can now make use of. This simplifies some imports. --- Cargo.toml | 2 +- src/lib.rs | 4 ---- src/zkp/ecdsa_adaptor.rs | 8 +++++--- src/zkp/rangeproof.rs | 5 +++-- src/zkp/surjection_proof.rs | 2 +- src/zkp/whitelist.rs | 3 ++- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 47b2b6f7..75af424e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,7 +30,7 @@ use-serde = ["serde", "secp256k1/serde"] use-rand = ["rand", "secp256k1/rand"] [dependencies] -secp256k1 = "0.20.0" +secp256k1 = "0.21.0" secp256k1-zkp-sys = { version = "0.5.0", default-features = false, path = "./secp256k1-zkp-sys" } rand = { version = "0.6", default-features = false, optional = true } serde = { version = "1.0", default-features = false, optional = true } diff --git a/src/lib.rs b/src/lib.rs index 722de326..b018fdf4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -43,8 +43,6 @@ pub use secp256k1_zkp_sys as ffi; extern crate secp256k1; -#[cfg(feature = "bitcoin_hashes")] -pub use secp256k1::bitcoin_hashes as hashes; #[cfg(any(test, feature = "std"))] extern crate core; #[cfg(any(test, feature = "rand"))] @@ -65,8 +63,6 @@ use core::{fmt, str}; pub use secp256k1::*; -pub use key::{PublicKey, SecretKey}; - #[cfg(feature = "serde")] mod serde_util; mod zkp; diff --git a/src/zkp/ecdsa_adaptor.rs b/src/zkp/ecdsa_adaptor.rs index 37fb497e..8cf08005 100644 --- a/src/zkp/ecdsa_adaptor.rs +++ b/src/zkp/ecdsa_adaptor.rs @@ -13,10 +13,12 @@ use ffi::{self, CPtr, ECDSA_ADAPTOR_SIGNATURE_LENGTH}; use rand::thread_rng; #[cfg(any(test, feature = "rand"))] use rand::{CryptoRng, Rng}; -use {constants, PublicKey, Secp256k1, SecretKey}; +use secp256k1::ecdsa::Signature; +use secp256k1::{PublicKey, SecretKey}; +use Verification; +use {constants, Secp256k1}; use {from_hex, Error}; use {Message, Signing}; -use {Signature, Verification}; /// Represents an adaptor signature and dleq proof. #[derive(Debug, PartialEq, Clone, Copy, Eq)] @@ -309,7 +311,7 @@ mod tests { .decrypt(&adaptor_secret) .expect("to be able to decrypt using the correct secret"); SECP256K1 - .verify(&msg, &sig, &pubkey) + .verify_ecdsa(&msg, &sig, &pubkey) .expect("signature to be valid"); let recovered = adaptor_sig .recover(&SECP256K1, &sig, &adaptor) diff --git a/src/zkp/rangeproof.rs b/src/zkp/rangeproof.rs index d950c7dc..2f7fe132 100644 --- a/src/zkp/rangeproof.rs +++ b/src/zkp/rangeproof.rs @@ -1,12 +1,13 @@ use ffi::RANGEPROOF_MAX_LENGTH; use from_hex; +use secp256k1::SecretKey; use std::ops::Range; use std::str; use Error; use Generator; use PedersenCommitment; use Verification; -use {ffi, Secp256k1, SecretKey, Signing, Tweak}; +use {ffi, Secp256k1, Signing, Tweak}; /// Represents a range proof. /// @@ -203,7 +204,7 @@ impl RangeProof { #[cfg(feature = "bitcoin_hashes")] impl ::core::fmt::Display for RangeProof { fn fmt(&self, f: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result { - use bitcoin_hashes::hex::format_hex; + use hashes::hex::format_hex; format_hex(self.serialize().as_slice(), f) } diff --git a/src/zkp/surjection_proof.rs b/src/zkp/surjection_proof.rs index f1e1c8cf..6756a9e0 100644 --- a/src/zkp/surjection_proof.rs +++ b/src/zkp/surjection_proof.rs @@ -183,7 +183,7 @@ impl SurjectionProof { #[cfg(feature = "bitcoin_hashes")] impl ::core::fmt::Display for SurjectionProof { fn fmt(&self, f: &mut ::core::fmt::Formatter<'_>) -> ::core::fmt::Result { - use bitcoin_hashes::hex::format_hex; + use hashes::hex::format_hex; format_hex(self.serialize().as_slice(), f) } diff --git a/src/zkp/whitelist.rs b/src/zkp/whitelist.rs index ad94b4c7..b37001dd 100644 --- a/src/zkp/whitelist.rs +++ b/src/zkp/whitelist.rs @@ -10,7 +10,8 @@ use core::ptr; use ffi::CPtr; #[cfg(feature = "std")] use from_hex; -use {ffi, secp256k1, Error, PublicKey, Secp256k1, SecretKey, Signing, Verification}; +use secp256k1::{PublicKey, SecretKey}; +use {ffi, secp256k1, Error, Secp256k1, Signing, Verification}; /// A whitelist ring signature. #[derive(Clone, PartialEq, Eq, Hash)] From bb6e6ebf427482486da2e776679dd65562fcb06b Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Tue, 15 Feb 2022 15:09:12 +1100 Subject: [PATCH 4/4] Bump vendored library to edcacc2b2ecc38f2cc85aec8e1b5e1bb743132d2 This hash was chosen because it is a recent commit after the one that secp256k1-sys depends on. --- secp256k1-zkp-sys/Cargo.toml | 2 +- .../depend/secp256k1-HEAD-revision.txt | 2 +- .../depend/secp256k1/.cirrus.yml | 196 +- secp256k1-zkp-sys/depend/secp256k1/.gitignore | 8 + .../depend/secp256k1/Makefile.am | 38 +- secp256k1-zkp-sys/depend/secp256k1/README.md | 5 +- .../secp256k1/build-aux/m4/bitcoin_secp.m4 | 13 - .../depend/secp256k1/ci/cirrus.sh | 35 +- .../secp256k1/ci/linux-debian.Dockerfile | 17 +- .../depend/secp256k1/configure.ac | 67 +- .../secp256k1/contrib/lax_der_parsing.c | 9 +- .../secp256k1/contrib/lax_der_parsing.h | 16 +- .../contrib/lax_der_privatekey_parsing.c | 15 +- .../contrib/lax_der_privatekey_parsing.h | 12 +- .../secp256k1/doc/safegcd_implementation.md | 765 +++ .../depend/secp256k1/include/secp256k1.h | 275 +- .../depend/secp256k1/include/secp256k1.h.orig | 295 +- .../depend/secp256k1/include/secp256k1_ecdh.h | 24 +- .../include/secp256k1_ecdsa_adaptor.h | 40 +- .../secp256k1/include/secp256k1_ecdsa_s2c.h | 74 +- .../secp256k1/include/secp256k1_extrakeys.h | 121 +- .../secp256k1/include/secp256k1_generator.h | 32 +- .../secp256k1/include/secp256k1_musig.h | 150 +- .../include/secp256k1_preallocated.h | 54 +- .../secp256k1/include/secp256k1_rangeproof.h | 74 +- .../secp256k1/include/secp256k1_recovery.h | 44 +- .../secp256k1/include/secp256k1_schnorrsig.h | 28 +- .../include/secp256k1_surjectionproof.h | 96 +- .../secp256k1/include/secp256k1_whitelist.h | 54 +- .../depend/secp256k1/obj/.gitignore | 0 .../secp256k1/sage/gen_exhaustive_groups.sage | 6 +- .../sage/gen_split_lambda_constants.sage | 16 +- .../sage/prove_group_implementations.sage | 50 +- .../secp256k1/src/asm/field_10x26_arm.s | 16 +- .../depend/secp256k1/src/assumptions.h | 2 +- .../depend/secp256k1/src/basic-config.h | 19 +- .../depend/secp256k1/src/bench_ecdh.c | 16 +- .../depend/secp256k1/src/bench_ecmult.c | 301 +- .../depend/secp256k1/src/bench_generator.c | 14 +- .../depend/secp256k1/src/bench_internal.c | 195 +- .../depend/secp256k1/src/bench_rangeproof.c | 16 +- .../depend/secp256k1/src/bench_recover.c | 20 +- .../depend/secp256k1/src/bench_schnorrsig.c | 34 +- .../depend/secp256k1/src/bench_sign.c | 14 +- .../depend/secp256k1/src/bench_verify.c | 30 +- .../depend/secp256k1/src/bench_whitelist.c | 55 +- .../depend/secp256k1/src/eccommit.h | 14 +- .../depend/secp256k1/src/eccommit_impl.h | 54 +- .../depend/secp256k1/src/ecdsa.h | 8 +- .../depend/secp256k1/src/ecdsa_impl.h | 124 +- .../depend/secp256k1/src/eckey.h | 12 +- .../depend/secp256k1/src/eckey_impl.h | 74 +- .../depend/secp256k1/src/ecmult.h | 23 +- .../depend/secp256k1/src/ecmult_const.h | 2 +- .../depend/secp256k1/src/ecmult_const_impl.h | 118 +- .../depend/secp256k1/src/ecmult_gen.h | 22 +- .../depend/secp256k1/src/ecmult_gen_impl.h | 136 +- .../depend/secp256k1/src/ecmult_impl.h | 512 +- .../depend/secp256k1/src/field.h | 66 +- .../depend/secp256k1/src/field_10x26.h | 4 +- .../depend/secp256k1/src/field_10x26_impl.h | 185 +- .../depend/secp256k1/src/field_5x52.h | 4 +- .../secp256k1/src/field_5x52_asm_impl.h | 4 +- .../depend/secp256k1/src/field_5x52_impl.h | 165 +- .../secp256k1/src/field_5x52_int128_impl.h | 4 +- .../depend/secp256k1/src/field_impl.h | 239 +- .../depend/secp256k1/src/gen_context.c | 24 +- .../depend/secp256k1/src/group.h | 94 +- .../depend/secp256k1/src/group_impl.h | 569 +- secp256k1-zkp-sys/depend/secp256k1/src/hash.h | 26 +- .../depend/secp256k1/src/hash_impl.h | 122 +- .../depend/secp256k1/src/modinv32.h | 42 + .../depend/secp256k1/src/modinv32_impl.h | 587 ++ .../depend/secp256k1/src/modinv64.h | 46 + .../depend/secp256k1/src/modinv64_impl.h | 593 ++ .../src/modules/ecdh/Makefile.am.include | 2 +- .../secp256k1/src/modules/ecdh/main_impl.h | 50 +- .../secp256k1/src/modules/ecdh/tests_impl.h | 68 +- .../modules/ecdsa_adaptor/Makefile.am.include | 2 +- .../src/modules/ecdsa_adaptor/dleq_impl.h | 132 +- .../src/modules/ecdsa_adaptor/main_impl.h | 296 +- .../src/modules/ecdsa_adaptor/tests_impl.h | 532 +- .../src/modules/ecdsa_s2c/Makefile.am.include | 2 +- .../src/modules/ecdsa_s2c/main_impl.h | 126 +- .../src/modules/ecdsa_s2c/tests_impl.h | 288 +- .../src/modules/extrakeys/Makefile.am.include | 2 +- .../src/modules/extrakeys/main_impl.h | 190 +- .../modules/extrakeys/tests_exhaustive_impl.h | 48 +- .../src/modules/extrakeys/tests_impl.h | 548 +- .../src/modules/generator/Makefile.am.include | 2 +- .../src/modules/generator/main_impl.h | 200 +- .../src/modules/generator/tests_impl.h | 122 +- .../src/modules/musig/Makefile.am.include | 2 +- .../secp256k1/src/modules/musig/example.c | 58 +- .../secp256k1/src/modules/musig/main_impl.h | 404 +- .../secp256k1/src/modules/musig/musig.md | 48 +- .../secp256k1/src/modules/musig/tests_impl.h | 874 +-- .../modules/rangeproof/Makefile.am.include | 2 +- .../src/modules/rangeproof/borromean.h | 8 +- .../src/modules/rangeproof/borromean_impl.h | 130 +- .../src/modules/rangeproof/main_impl.h | 224 +- .../src/modules/rangeproof/pedersen.h | 4 +- .../src/modules/rangeproof/pedersen_impl.h | 26 +- .../src/modules/rangeproof/rangeproof.h | 8 +- .../src/modules/rangeproof/rangeproof_impl.h | 300 +- .../src/modules/rangeproof/tests_impl.h | 420 +- .../src/modules/recovery/Makefile.am.include | 2 +- .../src/modules/recovery/main_impl.h | 120 +- .../modules/recovery/tests_exhaustive_impl.h | 82 +- .../src/modules/recovery/tests_impl.h | 272 +- .../modules/schnorrsig/Makefile.am.include | 2 +- .../src/modules/schnorrsig/main_impl.h | 168 +- .../schnorrsig/tests_exhaustive_impl.h | 68 +- .../src/modules/schnorrsig/tests_impl.h | 276 +- .../modules/surjection/Makefile.am.include | 2 +- .../src/modules/surjection/main_impl.h | 104 +- .../src/modules/surjection/surjection.h | 6 +- .../src/modules/surjection/surjection_impl.h | 40 +- .../src/modules/surjection/tests_impl.h | 376 +- .../src/modules/whitelist/Makefile.am.include | 2 +- .../src/modules/whitelist/main_impl.h | 58 +- .../src/modules/whitelist/tests_impl.h | 80 +- .../src/modules/whitelist/whitelist_impl.h | 106 +- secp256k1-zkp-sys/depend/secp256k1/src/num.h | 74 - .../depend/secp256k1/src/num_gmp.h | 20 - .../depend/secp256k1/src/num_gmp_impl.h | 288 - .../depend/secp256k1/src/num_impl.h | 24 - .../depend/secp256k1/src/scalar.h | 66 +- .../depend/secp256k1/src/scalar_4x64.h | 2 +- .../depend/secp256k1/src/scalar_4x64_impl.h | 322 +- .../depend/secp256k1/src/scalar_8x32.h | 2 +- .../depend/secp256k1/src/scalar_8x32_impl.h | 259 +- .../depend/secp256k1/src/scalar_impl.h | 293 +- .../depend/secp256k1/src/scalar_low.h | 2 +- .../depend/secp256k1/src/scalar_low_impl.h | 69 +- .../depend/secp256k1/src/scratch.h | 20 +- .../depend/secp256k1/src/scratch_impl.h | 26 +- .../depend/secp256k1/src/secp256k1.c | 557 +- .../depend/secp256k1/src/secp256k1.c.orig | 587 +- .../depend/secp256k1/src/selftest.h | 16 +- .../depend/secp256k1/src/testrand.h | 22 +- .../depend/secp256k1/src/testrand_impl.h | 78 +- .../depend/secp256k1/src/tests.c | 5022 ++++++++++------- .../depend/secp256k1/src/tests_exhaustive.c | 245 +- secp256k1-zkp-sys/depend/secp256k1/src/util.h | 79 +- .../depend/secp256k1/src/util.h.orig | 87 +- .../secp256k1/src/valgrind_ctime_test.c | 86 +- secp256k1-zkp-sys/src/error_callbacks.rs | 4 +- secp256k1-zkp-sys/src/zkp.rs | 54 +- 149 files changed, 12541 insertions(+), 9883 deletions(-) create mode 100644 secp256k1-zkp-sys/depend/secp256k1/doc/safegcd_implementation.md delete mode 100644 secp256k1-zkp-sys/depend/secp256k1/obj/.gitignore create mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/modinv32.h create mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/modinv32_impl.h create mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/modinv64.h create mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/modinv64_impl.h delete mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/num.h delete mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/num_gmp.h delete mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/num_gmp_impl.h delete mode 100644 secp256k1-zkp-sys/depend/secp256k1/src/num_impl.h diff --git a/secp256k1-zkp-sys/Cargo.toml b/secp256k1-zkp-sys/Cargo.toml index 8999ae65..5c114dd7 100644 --- a/secp256k1-zkp-sys/Cargo.toml +++ b/secp256k1-zkp-sys/Cargo.toml @@ -13,7 +13,7 @@ description = "FFI for `libsecp256k1-zkp` library." keywords = [ "secp256k1", "libsecp256k1-zkp", "ffi" ] readme = "README.md" build = "build.rs" -links = "rustsecp256k1zkp_v0_5_0" +links = "rustsecp256k1zkp_v0_6_0" # Should make docs.rs show all functions, even those behind non-default features [package.metadata.docs.rs] diff --git a/secp256k1-zkp-sys/depend/secp256k1-HEAD-revision.txt b/secp256k1-zkp-sys/depend/secp256k1-HEAD-revision.txt index a498b2f3..790fe274 100644 --- a/secp256k1-zkp-sys/depend/secp256k1-HEAD-revision.txt +++ b/secp256k1-zkp-sys/depend/secp256k1-HEAD-revision.txt @@ -1,2 +1,2 @@ # This file was automatically created by ./vendor-libsecp.sh -f3708a1ecb445b1b05a0f8fcd1da6a88f83d89c4 +edcacc2b2ecc38f2cc85aec8e1b5e1bb743132d2 diff --git a/secp256k1-zkp-sys/depend/secp256k1/.cirrus.yml b/secp256k1-zkp-sys/depend/secp256k1/.cirrus.yml index 28a5d323..d157e994 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/.cirrus.yml +++ b/secp256k1-zkp-sys/depend/secp256k1/.cirrus.yml @@ -1,12 +1,10 @@ env: WIDEMUL: auto - BIGNUM: auto STATICPRECOMPUTATION: yes ECMULTGENPRECISION: auto ASM: no BUILD: check WITH_VALGRIND: yes - RUN_VALGRIND: no EXTRAFLAGS: HOST: ECDH: no @@ -21,7 +19,8 @@ env: EXPERIMENTAL: no CTIMETEST: yes BENCH: yes - ITERS: 2 + TEST_ITERS: + BENCH_ITERS: 2 MAKEFLAGS: -j2 cat_logs_snippet: &CAT_LOGS @@ -65,47 +64,13 @@ task: - env: {WIDEMUL: int128, RECOVERY: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes} - env: {WIDEMUL: int128, ECDH: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes} - env: {WIDEMUL: int128, ASM: x86_64} - - env: {BIGNUM: no} - - env: {BIGNUM: no, RECOVERY: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes} - - env: {BIGNUM: no, STATICPRECOMPUTATION: no} + - env: { RECOVERY: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes, ECDSA_S2C: yes, RANGEPROOF: yes, WHITELIST: yes, GENERATOR: yes, MUSIG: yes, ECDSAADAPTOR: yes} + - env: { STATICPRECOMPUTATION: no} - env: {BUILD: distcheck, WITH_VALGRIND: no, CTIMETEST: no, BENCH: no} - env: {CPPFLAGS: -DDETERMINISTIC} - env: {CFLAGS: -O0, CTIMETEST: no} - - env: - CFLAGS: "-fsanitize=undefined -fno-omit-frame-pointer" - LDFLAGS: "-fsanitize=undefined -fno-omit-frame-pointer" - UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1" - BIGNUM: no - ASM: x86_64 - ECDH: yes - RECOVERY: yes - EXPERIMENTAL: yes - SCHNORRSIG: yes - ECDSA_S2C: yes - RANGEPROOF: yes - WHITELIST: yes - GENERATOR: yes - MUSIG: yes - ECDSAADAPTOR: yes - CTIMETEST: no - env: { ECMULTGENPRECISION: 2 } - env: { ECMULTGENPRECISION: 8 } - - env: - RUN_VALGRIND: yes - BIGNUM: no - ASM: x86_64 - ECDH: yes - RECOVERY: yes - EXPERIMENTAL: yes - SCHNORRSIG: yes - ECDSA_S2C: yes - RANGEPROOF: yes - WHITELIST: yes - GENERATOR: yes - MUSIG: yes - ECDSAADAPTOR: yes - EXTRAFLAGS: "--disable-openssl-tests" - BUILD: matrix: - env: CC: gcc @@ -139,11 +104,6 @@ task: CC: i686-linux-gnu-gcc - env: CC: clang --target=i686-pc-linux-gnu -isystem /usr/i686-linux-gnu/include - matrix: - - env: - BIGNUM: gmp - - env: - BIGNUM: no << : *MERGE_BASE test_script: - ./ci/cirrus.sh @@ -204,7 +164,7 @@ task: # If we haven't restored from cached (and just run brew install), this is a no-op. - brew link valgrind brew_script: - - brew install automake libtool gmp gcc@9 + - brew install automake libtool gcc@9 << : *MERGE_BASE test_script: - ./ci/cirrus.sh @@ -217,11 +177,10 @@ task: cpu: 1 memory: 1G env: - QEMU_CMD: qemu-s390x + WRAPPER_CMD: qemu-s390x + TEST_ITERS: 16 HOST: s390x-linux-gnu - BUILD: WITH_VALGRIND: no - BIGNUM: no ECDH: yes RECOVERY: yes EXPERIMENTAL: yes @@ -239,3 +198,144 @@ task: - rm /etc/ld.so.cache - ./ci/cirrus.sh << : *CAT_LOGS + +task: + name: "ARM32: Linux (Debian stable, QEMU)" + container: + dockerfile: ci/linux-debian.Dockerfile + cpu: 1 + memory: 1G + env: + WRAPPER_CMD: qemu-arm + TEST_ITERS: 16 + HOST: arm-linux-gnueabihf + WITH_VALGRIND: no + ECDH: yes + RECOVERY: yes + EXPERIMENTAL: yes + SCHNORRSIG: yes + CTIMETEST: no + matrix: + - env: {} + - env: {ASM: arm} + << : *MERGE_BASE + test_script: + - ./ci/cirrus.sh + << : *CAT_LOGS + +task: + name: "ARM64: Linux (Debian stable, QEMU)" + container: + dockerfile: ci/linux-debian.Dockerfile + cpu: 1 + memory: 1G + env: + WRAPPER_CMD: qemu-aarch64 + TEST_ITERS: 16 + HOST: aarch64-linux-gnu + WITH_VALGRIND: no + ECDH: yes + RECOVERY: yes + EXPERIMENTAL: yes + SCHNORRSIG: yes + CTIMETEST: no + << : *MERGE_BASE + test_script: + - ./ci/cirrus.sh + << : *CAT_LOGS + +task: + name: "ppc64le: Linux (Debian stable, QEMU)" + container: + dockerfile: ci/linux-debian.Dockerfile + cpu: 1 + memory: 1G + env: + WRAPPER_CMD: qemu-ppc64le + TEST_ITERS: 16 + HOST: powerpc64le-linux-gnu + WITH_VALGRIND: no + ECDH: yes + RECOVERY: yes + EXPERIMENTAL: yes + SCHNORRSIG: yes + CTIMETEST: no + << : *MERGE_BASE + test_script: + - ./ci/cirrus.sh + << : *CAT_LOGS + +task: + name: "x86_64 (mingw32-w64): Windows (Debian stable, Wine)" + container: + dockerfile: ci/linux-debian.Dockerfile + cpu: 1 + memory: 1G + env: + WRAPPER_CMD: wine64-stable + TEST_ITERS: 16 + HOST: x86_64-w64-mingw32 + WITH_VALGRIND: no + ECDH: yes + RECOVERY: yes + EXPERIMENTAL: yes + SCHNORRSIG: yes + CTIMETEST: no + << : *MERGE_BASE + test_script: + - ./ci/cirrus.sh + << : *CAT_LOGS + +# Sanitizers +task: + container: + dockerfile: ci/linux-debian.Dockerfile + cpu: 1 + memory: 1G + env: + ECDH: yes + RECOVERY: yes + EXPERIMENTAL: yes + SCHNORRSIG: yes + ECDSA_S2C: yes + RANGEPROOF: yes + WHITELIST: yes + GENERATOR: yes + MUSIG: yes + ECDSAADAPTOR: yes + CTIMETEST: no + EXTRAFLAGS: "--disable-openssl-tests" + matrix: + - name: "Valgrind (memcheck)" + env: + # The `--error-exitcode` is required to make the test fail if valgrind found errors, otherwise it'll return 0 (https://www.valgrind.org/docs/manual/manual-core.html) + WRAPPER_CMD: "valgrind --error-exitcode=42" + TEST_ITERS: 16 + - name: "UBSan, ASan, LSan" + env: + CFLAGS: "-fsanitize=undefined,address" + CFLAGS_FOR_BUILD: "-fsanitize=undefined,address" + UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1" + ASAN_OPTIONS: "strict_string_checks=1:detect_stack_use_after_return=1:detect_leaks=1" + LSAN_OPTIONS: "use_unaligned=1" + TEST_ITERS: 32 + # Try to cover many configurations with just a tiny matrix. + matrix: + - env: + ASM: auto + STATICPRECOMPUTATION: yes + - env: + ASM: no + STATICPRECOMPUTATION: no + ECMULTGENPRECISION: 2 + matrix: + - env: + CC: clang + - env: + HOST: i686-linux-gnu + CC: i686-linux-gnu-gcc + << : *MERGE_BASE + test_script: + - ./ci/cirrus.sh + << : *CAT_LOGS + diff --git a/secp256k1-zkp-sys/depend/secp256k1/.gitignore b/secp256k1-zkp-sys/depend/secp256k1/.gitignore index cdfad486..72a684a8 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/.gitignore +++ b/secp256k1-zkp-sys/depend/secp256k1/.gitignore @@ -35,6 +35,14 @@ libtool *~ *.log *.trs + +coverage/ +coverage.html +coverage.*.html +*.gcda +*.gcno +*.gcov + src/libsecp256k1-config.h src/libsecp256k1-config.h.in src/ecmult_static_context.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/Makefile.am b/secp256k1-zkp-sys/depend/secp256k1/Makefile.am index c9e611ed..2c1a3fdd 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/Makefile.am +++ b/secp256k1-zkp-sys/depend/secp256k1/Makefile.am @@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I build-aux/m4 lib_LTLIBRARIES = libsecp256k1.la include_HEADERS = include/secp256k1.h -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_preallocated.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_preallocated.h noinst_HEADERS = noinst_HEADERS += src/scalar.h noinst_HEADERS += src/scalar_4x64.h @@ -14,8 +14,6 @@ noinst_HEADERS += src/scalar_8x32_impl.h noinst_HEADERS += src/scalar_low_impl.h noinst_HEADERS += src/group.h noinst_HEADERS += src/group_impl.h -noinst_HEADERS += src/num_gmp.h -noinst_HEADERS += src/num_gmp_impl.h noinst_HEADERS += src/eccommit.h noinst_HEADERS += src/eccommit_impl.h noinst_HEADERS += src/ecdsa.h @@ -28,14 +26,16 @@ noinst_HEADERS += src/ecmult_const.h noinst_HEADERS += src/ecmult_const_impl.h noinst_HEADERS += src/ecmult_gen.h noinst_HEADERS += src/ecmult_gen_impl.h -noinst_HEADERS += src/num.h -noinst_HEADERS += src/num_impl.h noinst_HEADERS += src/field_10x26.h noinst_HEADERS += src/field_10x26_impl.h noinst_HEADERS += src/field_5x52.h noinst_HEADERS += src/field_5x52_impl.h noinst_HEADERS += src/field_5x52_int128_impl.h noinst_HEADERS += src/field_5x52_asm_impl.h +noinst_HEADERS += src/modinv32.h +noinst_HEADERS += src/modinv32_impl.h +noinst_HEADERS += src/modinv64.h +noinst_HEADERS += src/modinv64_impl.h noinst_HEADERS += src/assumptions.h noinst_HEADERS += src/util.h noinst_HEADERS += src/scratch.h @@ -54,7 +54,7 @@ noinst_HEADERS += contrib/lax_der_privatekey_parsing.h noinst_HEADERS += contrib/lax_der_privatekey_parsing.c if USE_EXTERNAL_ASM -COMMON_LIB = librustsecp256k1zkp_v0_5_0_common.la +COMMON_LIB = librustsecp256k1zkp_v0_6_0_common.la noinst_LTLIBRARIES = $(COMMON_LIB) else COMMON_LIB = @@ -65,16 +65,16 @@ pkgconfig_DATA = libsecp256k1.pc if USE_EXTERNAL_ASM if USE_ASM_ARM -librustsecp256k1zkp_v0_5_0_common_la_SOURCES = src/asm/field_10x26_arm.s +librustsecp256k1zkp_v0_6_0_common_la_SOURCES = src/asm/field_10x26_arm.s endif endif -librustsecp256k1zkp_v0_5_0_la_SOURCES = src/secp256k1.c -librustsecp256k1zkp_v0_5_0_la_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES) -librustsecp256k1zkp_v0_5_0_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB) +librustsecp256k1zkp_v0_6_0_la_SOURCES = src/secp256k1.c +librustsecp256k1zkp_v0_6_0_la_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES) +librustsecp256k1zkp_v0_6_0_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB) if VALGRIND_ENABLED -librustsecp256k1zkp_v0_5_0_la_CPPFLAGS += -DVALGRIND +librustsecp256k1zkp_v0_6_0_la_CPPFLAGS += -DVALGRIND endif noinst_PROGRAMS = @@ -83,27 +83,27 @@ noinst_PROGRAMS += bench_verify bench_sign bench_internal bench_ecmult bench_verify_SOURCES = src/bench_verify.c bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) # SECP_TEST_INCLUDES are only used here for CRYPTO_CPPFLAGS -bench_verify_CPPFLAGS = -DSECP256K1_BUILD $(SECP_TEST_INCLUDES) +bench_verify_CPPFLAGS = $(SECP_TEST_INCLUDES) bench_sign_SOURCES = src/bench_sign.c bench_sign_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) bench_internal_SOURCES = src/bench_internal.c bench_internal_LDADD = $(SECP_LIBS) $(COMMON_LIB) -bench_internal_CPPFLAGS = -DSECP256K1_BUILD $(SECP_INCLUDES) +bench_internal_CPPFLAGS = $(SECP_INCLUDES) bench_ecmult_SOURCES = src/bench_ecmult.c bench_ecmult_LDADD = $(SECP_LIBS) $(COMMON_LIB) -bench_ecmult_CPPFLAGS = -DSECP256K1_BUILD $(SECP_INCLUDES) +bench_ecmult_CPPFLAGS = $(SECP_INCLUDES) endif TESTS = if USE_TESTS noinst_PROGRAMS += tests tests_SOURCES = src/tests.c -tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src -I$(top_srcdir)/include $(SECP_INCLUDES) $(SECP_TEST_INCLUDES) +tests_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/include $(SECP_INCLUDES) $(SECP_TEST_INCLUDES) if VALGRIND_ENABLED tests_CPPFLAGS += -DVALGRIND noinst_PROGRAMS += valgrind_ctime_test valgrind_ctime_test_SOURCES = src/valgrind_ctime_test.c -valgrind_ctime_test_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_LIBS) $(COMMON_LIB) +valgrind_ctime_test_LDADD = libsecp256k1.la $(SECP_LIBS) $(COMMON_LIB) endif if !ENABLE_COVERAGE tests_CPPFLAGS += -DVERIFY @@ -116,7 +116,7 @@ endif if USE_EXHAUSTIVE_TESTS noinst_PROGRAMS += exhaustive_tests exhaustive_tests_SOURCES = src/tests_exhaustive.c -exhaustive_tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src $(SECP_INCLUDES) +exhaustive_tests_CPPFLAGS = -I$(top_srcdir)/src $(SECP_INCLUDES) if !ENABLE_COVERAGE exhaustive_tests_CPPFLAGS += -DVERIFY endif @@ -131,12 +131,12 @@ CPPFLAGS_FOR_BUILD +=-I$(top_srcdir) -I$(builddir)/src gen_context_OBJECTS = gen_context.o gen_context_BIN = gen_context$(BUILD_EXEEXT) gen_%.o: src/gen_%.c src/libsecp256k1-config.h - $(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@ + $(CC_FOR_BUILD) $(DEFS) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@ $(gen_context_BIN): $(gen_context_OBJECTS) $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) $^ -o $@ -$(librustsecp256k1zkp_v0_5_0_la_OBJECTS): src/ecmult_static_context.h +$(librustsecp256k1zkp_v0_6_0_la_OBJECTS): src/ecmult_static_context.h $(tests_OBJECTS): src/ecmult_static_context.h $(bench_internal_OBJECTS): src/ecmult_static_context.h $(bench_ecmult_OBJECTS): src/ecmult_static_context.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/README.md b/secp256k1-zkp-sys/depend/secp256k1/README.md index 43dc4238..232b5981 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/README.md +++ b/secp256k1-zkp-sys/depend/secp256k1/README.md @@ -35,11 +35,11 @@ Implementation details * Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1). * Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys). * Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan). - * Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman). * Scalar operations * Optimized implementation without data-dependent branches of arithmetic modulo the curve's order. * Using 4 64-bit limbs (relying on __int128 support in the compiler). * Using 8 32-bit limbs. +* Modular inverses (both field elements and scalars) based on [safegcd](https://gcd.cr.yp.to/index.html) with some modifications, and a variable-time variant (by Peter Dettman). * Group operations * Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7). * Use addition between points in Jacobian and affine coordinates where possible. @@ -97,7 +97,8 @@ To create a report, `gcovr` is recommended, as it includes branch coverage repor To create a HTML report with coloured and annotated source code: - $ gcovr --exclude 'src/bench*' --html --html-details -o coverage.html + $ mkdir -p coverage + $ gcovr --exclude 'src/bench*' --html --html-details -o coverage/coverage.html Reporting a vulnerability ------------ diff --git a/secp256k1-zkp-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 b/secp256k1-zkp-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 index 7b48a5e5..e57888ca 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 +++ b/secp256k1-zkp-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 @@ -75,19 +75,6 @@ if test x"$has_libcrypto" = x"yes" && test x"$has_openssl_ec" = x; then fi ]) -dnl -AC_DEFUN([SECP_GMP_CHECK],[ -if test x"$has_gmp" != x"yes"; then - CPPFLAGS_TEMP="$CPPFLAGS" - CPPFLAGS="$GMP_CPPFLAGS $CPPFLAGS" - LIBS_TEMP="$LIBS" - LIBS="$GMP_LIBS $LIBS" - AC_CHECK_HEADER(gmp.h,[AC_CHECK_LIB(gmp, __gmpz_init,[has_gmp=yes; GMP_LIBS="$GMP_LIBS -lgmp"; AC_DEFINE(HAVE_LIBGMP,1,[Define this symbol if libgmp is installed])])]) - CPPFLAGS="$CPPFLAGS_TEMP" - LIBS="$LIBS_TEMP" -fi -]) - AC_DEFUN([SECP_VALGRIND_CHECK],[ if test x"$has_valgrind" != x"yes"; then CPPFLAGS_TEMP="$CPPFLAGS" diff --git a/secp256k1-zkp-sys/depend/secp256k1/ci/cirrus.sh b/secp256k1-zkp-sys/depend/secp256k1/ci/cirrus.sh index 785a522a..c32471ef 100755 --- a/secp256k1-zkp-sys/depend/secp256k1/ci/cirrus.sh +++ b/secp256k1-zkp-sys/depend/secp256k1/ci/cirrus.sh @@ -14,7 +14,7 @@ valgrind --version || true ./configure \ --enable-experimental="$EXPERIMENTAL" \ - --with-test-override-wide-multiply="$WIDEMUL" --with-bignum="$BIGNUM" --with-asm="$ASM" \ + --with-test-override-wide-multiply="$WIDEMUL" --with-asm="$ASM" \ --enable-ecmult-static-precomputation="$STATICPRECOMPUTATION" --with-ecmult-gen-precision="$ECMULTGENPRECISION" \ --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \ --enable-module-ecdsa-s2c="$ECDSA_S2C" \ @@ -27,42 +27,27 @@ valgrind --version || true make # Print information about binaries so that we can see that the architecture is correct -file *tests || true +file *tests* || true file bench_* || true file .libs/* || true -if [ -n "$BUILD" ] -then - make "$BUILD" -fi +# This tells `make check` to wrap test invocations. +export LOG_COMPILER="$WRAPPER_CMD" -if [ "$RUN_VALGRIND" = "yes" ] -then - # the `--error-exitcode` is required to make the test fail if valgrind found errors, otherwise it'll return 0 (https://www.valgrind.org/docs/manual/manual-core.html) - valgrind --error-exitcode=42 ./tests 16 - valgrind --error-exitcode=42 ./exhaustive_tests -fi +# This limits the iterations in the tests and benchmarks. +export SECP256K1_TEST_ITERS="$TEST_ITERS" +export SECP256K1_BENCH_ITERS="$BENCH_ITERS" -if [ -n "$QEMU_CMD" ] -then - $QEMU_CMD ./tests 16 - $QEMU_CMD ./exhaustive_tests -fi +make "$BUILD" if [ "$BENCH" = "yes" ] then # Using the local `libtool` because on macOS the system's libtool has nothing to do with GNU libtool EXEC='./libtool --mode=execute' - if [ -n "$QEMU_CMD" ] - then - EXEC="$EXEC $QEMU_CMD" - fi - if [ "$RUN_VALGRIND" = "yes" ] + if [ -n "$WRAPPER_CMD" ] then - EXEC="$EXEC valgrind --error-exitcode=42" + EXEC="$EXEC $WRAPPER_CMD" fi - # This limits the iterations in the benchmarks below to ITER iterations. - export SECP256K1_BENCH_ITERS="$ITERS" { $EXEC ./bench_ecmult $EXEC ./bench_internal diff --git a/secp256k1-zkp-sys/depend/secp256k1/ci/linux-debian.Dockerfile b/secp256k1-zkp-sys/depend/secp256k1/ci/linux-debian.Dockerfile index 201ace4f..6def9133 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/ci/linux-debian.Dockerfile +++ b/secp256k1-zkp-sys/depend/secp256k1/ci/linux-debian.Dockerfile @@ -2,12 +2,23 @@ FROM debian:stable RUN dpkg --add-architecture i386 RUN dpkg --add-architecture s390x +RUN dpkg --add-architecture armhf +RUN dpkg --add-architecture arm64 +RUN dpkg --add-architecture ppc64el RUN apt-get update # dkpg-dev: to make pkg-config work in cross-builds +# llvm: for llvm-symbolizer, which is used by clang's UBSan for symbolized stack traces RUN apt-get install --no-install-recommends --no-upgrade -y \ git ca-certificates \ make automake libtool pkg-config dpkg-dev valgrind qemu-user \ - gcc clang libc6-dbg libgmp-dev \ - gcc-i686-linux-gnu libc6-dev-i386-cross libc6-dbg:i386 libgmp-dev:i386 \ - gcc-s390x-linux-gnu libc6-dev-s390x-cross libc6-dbg:s390x + gcc clang llvm libc6-dbg \ + gcc-i686-linux-gnu libc6-dev-i386-cross libc6-dbg:i386 libubsan1:i386 libasan5:i386 \ + gcc-s390x-linux-gnu libc6-dev-s390x-cross libc6-dbg:s390x \ + gcc-arm-linux-gnueabihf libc6-dev-armhf-cross libc6-dbg:armhf \ + gcc-aarch64-linux-gnu libc6-dev-arm64-cross libc6-dbg:arm64 \ + gcc-powerpc64le-linux-gnu libc6-dev-ppc64el-cross libc6-dbg:ppc64el \ + wine gcc-mingw-w64-x86-64 + +# Run a dummy command in wine to make it set up configuration +RUN wine64-stable xcopy || true diff --git a/secp256k1-zkp-sys/depend/secp256k1/configure.ac b/secp256k1-zkp-sys/depend/secp256k1/configure.ac index 17e52078..849200af 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/configure.ac +++ b/secp256k1-zkp-sys/depend/secp256k1/configure.ac @@ -48,17 +48,12 @@ case $host_os in # in expected paths because they may conflict with system files. Ask # Homebrew where each one is located, then adjust paths accordingly. openssl_prefix=`$BREW --prefix openssl 2>/dev/null` - gmp_prefix=`$BREW --prefix gmp 2>/dev/null` valgrind_prefix=`$BREW --prefix valgrind 2>/dev/null` if test x$openssl_prefix != x; then PKG_CONFIG_PATH="$openssl_prefix/lib/pkgconfig:$PKG_CONFIG_PATH" export PKG_CONFIG_PATH CRYPTO_CPPFLAGS="-I$openssl_prefix/include" fi - if test x$gmp_prefix != x; then - GMP_CPPFLAGS="-I$gmp_prefix/include" - GMP_LIBS="-L$gmp_prefix/lib" - fi if test x$valgrind_prefix != x; then VALGRIND_CPPFLAGS="-I$valgrind_prefix/include" fi @@ -87,6 +82,15 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])], CFLAGS="$saved_CFLAGS" ]) +saved_CFLAGS="$CFLAGS" +CFLAGS="-Wconditional-uninitialized $CFLAGS" +AC_MSG_CHECKING([if ${CC} supports -Wconditional-uninitialized]) +AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" + ]) + saved_CFLAGS="$CFLAGS" CFLAGS="-fvisibility=hidden $CFLAGS" AC_MSG_CHECKING([if ${CC} supports -fvisibility=hidden]) @@ -204,9 +208,6 @@ AC_ARG_ENABLE(reduced_surjection_proof_size, # Legal values are int64 (for [u]int64_t), int128 (for [unsigned] __int128), and auto (the default). AC_ARG_WITH([test-override-wide-multiply], [] ,[set_widemul=$withval], [set_widemul=auto]) -AC_ARG_WITH([bignum], [AS_HELP_STRING([--with-bignum=gmp|no|auto], -[bignum implementation to use [default=auto]])],[req_bignum=$withval], [req_bignum=auto]) - AC_ARG_WITH([asm], [AS_HELP_STRING([--with-asm=x86_64|arm|no|auto], [assembly optimizations to useĀ (experimental: arm) [default=auto]])],[req_asm=$withval], [req_asm=auto]) @@ -297,32 +298,6 @@ else esac fi -if test x"$req_bignum" = x"auto"; then - SECP_GMP_CHECK - if test x"$has_gmp" = x"yes"; then - set_bignum=gmp - fi - - if test x"$set_bignum" = x; then - set_bignum=no - fi -else - set_bignum=$req_bignum - case $set_bignum in - gmp) - SECP_GMP_CHECK - if test x"$has_gmp" != x"yes"; then - AC_MSG_ERROR([gmp bignum explicitly requested but libgmp not available]) - fi - ;; - no) - ;; - *) - AC_MSG_ERROR([invalid bignum implementation selection]) - ;; - esac -fi - # Select assembly optimization use_external_asm=no @@ -360,24 +335,6 @@ auto) ;; esac -# Select bignum implementation -case $set_bignum in -gmp) - AC_DEFINE(HAVE_LIBGMP, 1, [Define this symbol if libgmp is installed]) - AC_DEFINE(USE_NUM_GMP, 1, [Define this symbol to use the gmp implementation for num]) - AC_DEFINE(USE_FIELD_INV_NUM, 1, [Define this symbol to use the num-based field inverse implementation]) - AC_DEFINE(USE_SCALAR_INV_NUM, 1, [Define this symbol to use the num-based scalar inverse implementation]) - ;; -no) - AC_DEFINE(USE_NUM_NONE, 1, [Define this symbol to use no num implementation]) - AC_DEFINE(USE_FIELD_INV_BUILTIN, 1, [Define this symbol to use the native field inverse implementation]) - AC_DEFINE(USE_SCALAR_INV_BUILTIN, 1, [Define this symbol to use the native scalar inverse implementation]) - ;; -*) - AC_MSG_ERROR([invalid bignum implementation]) - ;; -esac - # Set ecmult window size if test x"$req_ecmult_window" = x"auto"; then set_ecmult_window=15 @@ -442,11 +399,6 @@ else enable_openssl_tests=no fi -if test x"$set_bignum" = x"gmp"; then - SECP_LIBS="$SECP_LIBS $GMP_LIBS" - SECP_INCLUDES="$SECP_INCLUDES $GMP_CPPFLAGS" -fi - if test x"$enable_valgrind" = x"yes"; then SECP_INCLUDES="$SECP_INCLUDES $VALGRIND_CPPFLAGS" fi @@ -715,7 +667,6 @@ echo " module ecdsa-s2c = $enable_module_ecdsa_s2c" echo " module ecdsa-adaptor = $enable_module_ecdsa_adaptor" echo echo " asm = $set_asm" -echo " bignum = $set_bignum" echo " ecmult window size = $set_ecmult_window" echo " ecmult gen prec. bits = $set_ecmult_gen_precision" # Hide test-only options unless they're used. diff --git a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.c b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.c index d1969344..55f122fd 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.c +++ b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.c @@ -5,11 +5,10 @@ ***********************************************************************/ #include -#include #include "lax_der_parsing.h" -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der_lax(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der_lax(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { size_t rpos, rlen, spos, slen; size_t pos = 0; size_t lenbyte; @@ -17,7 +16,7 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der_lax(const rustsecp256k1zkp int overflow = 0; /* Hack to initialize sig with a correctly-parsed but invalid signature. */ - rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, sig, tmpsig); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, sig, tmpsig); /* Sequence tag byte */ if (pos == inputlen || input[pos] != 0x30) { @@ -138,11 +137,11 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der_lax(const rustsecp256k1zkp } if (!overflow) { - overflow = !rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, sig, tmpsig); + overflow = !rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, sig, tmpsig); } if (overflow) { memset(tmpsig, 0, 64); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, sig, tmpsig); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, sig, tmpsig); } return 1; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.h b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.h index 58a43562..f92b6bd9 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.h +++ b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_parsing.h @@ -26,8 +26,8 @@ * certain violations are easily supported. You may need to adapt it. * * Do not use this for new systems. Use well-defined DER or compact signatures - * instead if you have the choice (see rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der and - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact). + * instead if you have the choice (see rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der and + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact). * * The supported violations are: * - All numbers are parsed as nonnegative integers, even though X.609-0207 @@ -51,7 +51,13 @@ #ifndef SECP256K1_CONTRIB_LAX_DER_PARSING_H #define SECP256K1_CONTRIB_LAX_DER_PARSING_H +/* #include secp256k1.h only when it hasn't been included yet. + This enables this file to be #included directly in other project + files (such as tests.c) without the need to set an explicit -I flag, + which would be necessary to locate secp256k1.h. */ +#ifndef SECP256K1_H #include +#endif #ifdef __cplusplus extern "C" { @@ -77,9 +83,9 @@ extern "C" { * encoded numbers are out of range, signature validation with it is * guaranteed to fail for every message and public key. */ -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der_lax( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der_lax( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); diff --git a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c index 7eb0abc6..ea5466fe 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c +++ b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c @@ -5,11 +5,10 @@ ***********************************************************************/ #include -#include #include "lax_der_privatekey_parsing.h" -int ec_privkey_import_der(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) { +int ec_privkey_import_der(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) { const unsigned char *end = privkey + privkeylen; int lenb = 0; int len = 0; @@ -46,17 +45,17 @@ int ec_privkey_import_der(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned c return 0; } memcpy(out32 + 32 - privkey[1], privkey + 2, privkey[1]); - if (!rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, out32)) { + if (!rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, out32)) { memset(out32, 0, 32); return 0; } return 1; } -int ec_privkey_export_der(const rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) { - rustsecp256k1zkp_v0_5_0_pubkey pubkey; +int ec_privkey_export_der(const rustsecp256k1zkp_v0_6_0_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) { + rustsecp256k1zkp_v0_6_0_pubkey pubkey; size_t pubkeylen = 0; - if (!rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, key32)) { + if (!rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, key32)) { *privkeylen = 0; return 0; } @@ -80,7 +79,7 @@ int ec_privkey_export_der(const rustsecp256k1zkp_v0_5_0_context *ctx, unsigned c memcpy(ptr, key32, 32); ptr += 32; memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle); pubkeylen = 33; - rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED); + rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED); ptr += pubkeylen; *privkeylen = ptr - privkey; } else { @@ -105,7 +104,7 @@ int ec_privkey_export_der(const rustsecp256k1zkp_v0_5_0_context *ctx, unsigned c memcpy(ptr, key32, 32); ptr += 32; memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle); pubkeylen = 65; - rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED); + rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED); ptr += pubkeylen; *privkeylen = ptr - privkey; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h index b27fae63..c2f6e9ac 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h +++ b/secp256k1-zkp-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h @@ -28,7 +28,13 @@ #ifndef SECP256K1_CONTRIB_BER_PRIVATEKEY_H #define SECP256K1_CONTRIB_BER_PRIVATEKEY_H +/* #include secp256k1.h only when it hasn't been included yet. + This enables this file to be #included directly in other project + files (such as tests.c) without the need to set an explicit -I flag, + which would be necessary to locate secp256k1.h. */ +#ifndef SECP256K1_H #include +#endif #ifdef __cplusplus extern "C" { @@ -52,10 +58,10 @@ extern "C" { * simple 32-byte private keys are sufficient. * * Note that this function does not guarantee correct DER output. It is - * guaranteed to be parsable by rustsecp256k1zkp_v0_5_0_ec_privkey_import_der + * guaranteed to be parsable by rustsecp256k1zkp_v0_6_0_ec_privkey_import_der */ SECP256K1_WARN_UNUSED_RESULT int ec_privkey_export_der( - const rustsecp256k1zkp_v0_5_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *seckey, @@ -77,7 +83,7 @@ SECP256K1_WARN_UNUSED_RESULT int ec_privkey_export_der( * key. */ SECP256K1_WARN_UNUSED_RESULT int ec_privkey_import_der( - const rustsecp256k1zkp_v0_5_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *privkey, size_t privkeylen diff --git a/secp256k1-zkp-sys/depend/secp256k1/doc/safegcd_implementation.md b/secp256k1-zkp-sys/depend/secp256k1/doc/safegcd_implementation.md new file mode 100644 index 00000000..3ae556f9 --- /dev/null +++ b/secp256k1-zkp-sys/depend/secp256k1/doc/safegcd_implementation.md @@ -0,0 +1,765 @@ +# The safegcd implementation in libsecp256k1 explained + +This document explains the modular inverse implementation in the `src/modinv*.h` files. It is based +on the paper +["Fast constant-time gcd computation and modular inversion"](https://gcd.cr.yp.to/papers.html#safegcd) +by Daniel J. Bernstein and Bo-Yin Yang. The references below are for the Date: 2019.04.13 version. + +The actual implementation is in C of course, but for demonstration purposes Python3 is used here. +Most implementation aspects and optimizations are explained, except those that depend on the specific +number representation used in the C code. + +## 1. Computing the Greatest Common Divisor (GCD) using divsteps + +The algorithm from the paper (section 11), at a very high level, is this: + +```python +def gcd(f, g): + """Compute the GCD of an odd integer f and another integer g.""" + assert f & 1 # require f to be odd + delta = 1 # additional state variable + while g != 0: + assert f & 1 # f will be odd in every iteration + if delta > 0 and g & 1: + delta, f, g = 1 - delta, g, (g - f) // 2 + elif g & 1: + delta, f, g = 1 + delta, f, (g + f) // 2 + else: + delta, f, g = 1 + delta, f, (g ) // 2 + return abs(f) +``` + +It computes the greatest common divisor of an odd integer *f* and any integer *g*. Its inner loop +keeps rewriting the variables *f* and *g* alongside a state variable *δ* that starts at *1*, until +*g=0* is reached. At that point, *|f|* gives the GCD. Each of the transitions in the loop is called a +"division step" (referred to as divstep in what follows). + +For example, *gcd(21, 14)* would be computed as: +- Start with *δ=1 f=21 g=14* +- Take the third branch: *δ=2 f=21 g=7* +- Take the first branch: *δ=-1 f=7 g=-7* +- Take the second branch: *δ=0 f=7 g=0* +- The answer *|f| = 7*. + +Why it works: +- Divsteps can be decomposed into two steps (see paragraph 8.2 in the paper): + - (a) If *g* is odd, replace *(f,g)* with *(g,g-f)* or (f,g+f), resulting in an even *g*. + - (b) Replace *(f,g)* with *(f,g/2)* (where *g* is guaranteed to be even). +- Neither of those two operations change the GCD: + - For (a), assume *gcd(f,g)=c*, then it must be the case that *f=a c* and *g=b c* for some integers *a* + and *b*. As *(g,g-f)=(b c,(b-a)c)* and *(f,f+g)=(a c,(a+b)c)*, the result clearly still has + common factor *c*. Reasoning in the other direction shows that no common factor can be added by + doing so either. + - For (b), we know that *f* is odd, so *gcd(f,g)* clearly has no factor *2*, and we can remove + it from *g*. +- The algorithm will eventually converge to *g=0*. This is proven in the paper (see theorem G.3). +- It follows that eventually we find a final value *f'* for which *gcd(f,g) = gcd(f',0)*. As the + gcd of *f'* and *0* is *|f'|* by definition, that is our answer. + +Compared to more [traditional GCD algorithms](https://en.wikipedia.org/wiki/Euclidean_algorithm), this one has the property of only ever looking at +the low-order bits of the variables to decide the next steps, and being easy to make +constant-time (in more low-level languages than Python). The *δ* parameter is necessary to +guide the algorithm towards shrinking the numbers' magnitudes without explicitly needing to look +at high order bits. + +Properties that will become important later: +- Performing more divsteps than needed is not a problem, as *f* does not change anymore after *g=0*. +- Only even numbers are divided by *2*. This means that when reasoning about it algebraically we + do not need to worry about rounding. +- At every point during the algorithm's execution the next *N* steps only depend on the bottom *N* + bits of *f* and *g*, and on *δ*. + + +## 2. From GCDs to modular inverses + +We want an algorithm to compute the inverse *a* of *x* modulo *M*, i.e. the number a such that *a x=1 +mod M*. This inverse only exists if the GCD of *x* and *M* is *1*, but that is always the case if *M* is +prime and *0 < x < M*. In what follows, assume that the modular inverse exists. +It turns out this inverse can be computed as a side effect of computing the GCD by keeping track +of how the internal variables can be written as linear combinations of the inputs at every step +(see the [extended Euclidean algorithm](https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm)). +Since the GCD is *1*, such an algorithm will compute numbers *a* and *b* such that a x + b M = 1*. +Taking that expression *mod M* gives *a x mod M = 1*, and we see that *a* is the modular inverse of *x +mod M*. + +A similar approach can be used to calculate modular inverses using the divsteps-based GCD +algorithm shown above, if the modulus *M* is odd. To do so, compute *gcd(f=M,g=x)*, while keeping +track of extra variables *d* and *e*, for which at every step *d = f/x (mod M)* and *e = g/x (mod M)*. +*f/x* here means the number which multiplied with *x* gives *f mod M*. As *f* and *g* are initialized to *M* +and *x* respectively, *d* and *e* just start off being *0* (*M/x mod M = 0/x mod M = 0*) and *1* (*x/x mod M += 1*). + +```python +def div2(M, x): + """Helper routine to compute x/2 mod M (where M is odd).""" + assert M & 1 + if x & 1: # If x is odd, make it even by adding M. + x += M + # x must be even now, so a clean division by 2 is possible. + return x // 2 + +def modinv(M, x): + """Compute the inverse of x mod M (given that it exists, and M is odd).""" + assert M & 1 + delta, f, g, d, e = 1, M, x, 0, 1 + while g != 0: + # Note that while division by two for f and g is only ever done on even inputs, this is + # not true for d and e, so we need the div2 helper function. + if delta > 0 and g & 1: + delta, f, g, d, e = 1 - delta, g, (g - f) // 2, e, div2(M, e - d) + elif g & 1: + delta, f, g, d, e = 1 + delta, f, (g + f) // 2, d, div2(M, e + d) + else: + delta, f, g, d, e = 1 + delta, f, (g ) // 2, d, div2(M, e ) + # Verify that the invariants d=f/x mod M, e=g/x mod M are maintained. + assert f % M == (d * x) % M + assert g % M == (e * x) % M + assert f == 1 or f == -1 # |f| is the GCD, it must be 1 + # Because of invariant d = f/x (mod M), 1/x = d/f (mod M). As |f|=1, d/f = d*f. + return (d * f) % M +``` + +Also note that this approach to track *d* and *e* throughout the computation to determine the inverse +is different from the paper. There (see paragraph 12.1 in the paper) a transition matrix for the +entire computation is determined (see section 3 below) and the inverse is computed from that. +The approach here avoids the need for 2x2 matrix multiplications of various sizes, and appears to +be faster at the level of optimization we're able to do in C. + + +## 3. Batching multiple divsteps + +Every divstep can be expressed as a matrix multiplication, applying a transition matrix *(1/2 t)* +to both vectors *[f, g]* and *[d, e]* (see paragraph 8.1 in the paper): + +``` + t = [ u, v ] + [ q, r ] + + [ out_f ] = (1/2 * t) * [ in_f ] + [ out_g ] = [ in_g ] + + [ out_d ] = (1/2 * t) * [ in_d ] (mod M) + [ out_e ] [ in_e ] +``` + +where *(u, v, q, r)* is *(0, 2, -1, 1)*, *(2, 0, 1, 1)*, or *(2, 0, 0, 1)*, depending on which branch is +taken. As above, the resulting *f* and *g* are always integers. + +Performing multiple divsteps corresponds to a multiplication with the product of all the +individual divsteps' transition matrices. As each transition matrix consists of integers +divided by *2*, the product of these matrices will consist of integers divided by *2N* (see also +theorem 9.2 in the paper). These divisions are expensive when updating *d* and *e*, so we delay +them: we compute the integer coefficients of the combined transition matrix scaled by *2N*, and +do one division by *2N* as a final step: + +```python +def divsteps_n_matrix(delta, f, g): + """Compute delta and transition matrix t after N divsteps (multiplied by 2^N).""" + u, v, q, r = 1, 0, 0, 1 # start with identity matrix + for _ in range(N): + if delta > 0 and g & 1: + delta, f, g, u, v, q, r = 1 - delta, g, (g - f) // 2, 2*q, 2*r, q-u, r-v + elif g & 1: + delta, f, g, u, v, q, r = 1 + delta, f, (g + f) // 2, 2*u, 2*v, q+u, r+v + else: + delta, f, g, u, v, q, r = 1 + delta, f, (g ) // 2, 2*u, 2*v, q , r + return delta, (u, v, q, r) +``` + +As the branches in the divsteps are completely determined by the bottom *N* bits of *f* and *g*, this +function to compute the transition matrix only needs to see those bottom bits. Furthermore all +intermediate results and outputs fit in *(N+1)*-bit numbers (unsigned for *f* and *g*; signed for *u*, *v*, +*q*, and *r*) (see also paragraph 8.3 in the paper). This means that an implementation using 64-bit +integers could set *N=62* and compute the full transition matrix for 62 steps at once without any +big integer arithmetic at all. This is the reason why this algorithm is efficient: it only needs +to update the full-size *f*, *g*, *d*, and *e* numbers once every *N* steps. + +We still need functions to compute: + +``` + [ out_f ] = (1/2^N * [ u, v ]) * [ in_f ] + [ out_g ] ( [ q, r ]) [ in_g ] + + [ out_d ] = (1/2^N * [ u, v ]) * [ in_d ] (mod M) + [ out_e ] ( [ q, r ]) [ in_e ] +``` + +Because the divsteps transformation only ever divides even numbers by two, the result of *t [f,g]* is always even. When *t* is a composition of *N* divsteps, it follows that the resulting *f* +and *g* will be multiple of *2N*, and division by *2N* is simply shifting them down: + +```python +def update_fg(f, g, t): + """Multiply matrix t/2^N with [f, g].""" + u, v, q, r = t + cf, cg = u*f + v*g, q*f + r*g + # (t / 2^N) should cleanly apply to [f,g] so the result of t*[f,g] should have N zero + # bottom bits. + assert cf % 2**N == 0 + assert cg % 2**N == 0 + return cf >> N, cg >> N +``` + +The same is not true for *d* and *e*, and we need an equivalent of the `div2` function for division by *2N mod M*. +This is easy if we have precomputed *1/M mod 2N* (which always exists for odd *M*): + +```python +def div2n(M, Mi, x): + """Compute x/2^N mod M, given Mi = 1/M mod 2^N.""" + assert (M * Mi) % 2**N == 1 + # Find a factor m such that m*M has the same bottom N bits as x. We want: + # (m * M) mod 2^N = x mod 2^N + # <=> m mod 2^N = (x / M) mod 2^N + # <=> m mod 2^N = (x * Mi) mod 2^N + m = (Mi * x) % 2**N + # Subtract that multiple from x, cancelling its bottom N bits. + x -= m * M + # Now a clean division by 2^N is possible. + assert x % 2**N == 0 + return (x >> N) % M + +def update_de(d, e, t, M, Mi): + """Multiply matrix t/2^N with [d, e], modulo M.""" + u, v, q, r = t + cd, ce = u*d + v*e, q*d + r*e + return div2n(M, Mi, cd), div2n(M, Mi, ce) +``` + +With all of those, we can write a version of `modinv` that performs *N* divsteps at once: + +```python3 +def modinv(M, Mi, x): + """Compute the modular inverse of x mod M, given Mi=1/M mod 2^N.""" + assert M & 1 + delta, f, g, d, e = 1, M, x, 0, 1 + while g != 0: + # Compute the delta and transition matrix t for the next N divsteps (this only needs + # (N+1)-bit signed integer arithmetic). + delta, t = divsteps_n_matrix(delta, f % 2**N, g % 2**N) + # Apply the transition matrix t to [f, g]: + f, g = update_fg(f, g, t) + # Apply the transition matrix t to [d, e]: + d, e = update_de(d, e, t, M, Mi) + return (d * f) % M +``` + +This means that in practice we'll always perform a multiple of *N* divsteps. This is not a problem +because once *g=0*, further divsteps do not affect *f*, *g*, *d*, or *e* anymore (only *δ* keeps +increasing). For variable time code such excess iterations will be mostly optimized away in later +sections. + + +## 4. Avoiding modulus operations + +So far, there are two places where we compute a remainder of big numbers modulo *M*: at the end of +`div2n` in every `update_de`, and at the very end of `modinv` after potentially negating *d* due to the +sign of *f*. These are relatively expensive operations when done generically. + +To deal with the modulus operation in `div2n`, we simply stop requiring *d* and *e* to be in range +*[0,M)* all the time. Let's start by inlining `div2n` into `update_de`, and dropping the modulus +operation at the end: + +```python +def update_de(d, e, t, M, Mi): + """Multiply matrix t/2^N with [d, e] mod M, given Mi=1/M mod 2^N.""" + u, v, q, r = t + cd, ce = u*d + v*e, q*d + r*e + # Cancel out bottom N bits of cd and ce. + md = -((Mi * cd) % 2**N) + me = -((Mi * ce) % 2**N) + cd += md * M + ce += me * M + # And cleanly divide by 2**N. + return cd >> N, ce >> N +``` + +Let's look at bounds on the ranges of these numbers. It can be shown that *|u|+|v|* and *|q|+|r|* +never exceed *2N* (see paragraph 8.3 in the paper), and thus a multiplication with *t* will have +outputs whose absolute values are at most *2N* times the maximum absolute input value. In case the +inputs *d* and *e* are in *(-M,M)*, which is certainly true for the initial values *d=0* and *e=1* assuming +*M > 1*, the multiplication results in numbers in range *(-2NM,2NM)*. Subtracting less than *2N* +times *M* to cancel out *N* bits brings that up to *(-2N+1M,2NM)*, and +dividing by *2N* at the end takes it to *(-2M,M)*. Another application of `update_de` would take that +to *(-3M,2M)*, and so forth. This progressive expansion of the variables' ranges can be +counteracted by incrementing *d* and *e* by *M* whenever they're negative: + +```python + ... + if d < 0: + d += M + if e < 0: + e += M + cd, ce = u*d + v*e, q*d + r*e + # Cancel out bottom N bits of cd and ce. + ... +``` + +With inputs in *(-2M,M)*, they will first be shifted into range *(-M,M)*, which means that the +output will again be in *(-2M,M)*, and this remains the case regardless of how many `update_de` +invocations there are. In what follows, we will try to make this more efficient. + +Note that increasing *d* by *M* is equal to incrementing *cd* by *u M* and *ce* by *q M*. Similarly, +increasing *e* by *M* is equal to incrementing *cd* by *v M* and *ce* by *r M*. So we could instead write: + +```python + ... + cd, ce = u*d + v*e, q*d + r*e + # Perform the equivalent of incrementing d, e by M when they're negative. + if d < 0: + cd += u*M + ce += q*M + if e < 0: + cd += v*M + ce += r*M + # Cancel out bottom N bits of cd and ce. + md = -((Mi * cd) % 2**N) + me = -((Mi * ce) % 2**N) + cd += md * M + ce += me * M + ... +``` + +Now note that we have two steps of corrections to *cd* and *ce* that add multiples of *M*: this +increment, and the decrement that cancels out bottom bits. The second one depends on the first +one, but they can still be efficiently combined by only computing the bottom bits of *cd* and *ce* +at first, and using that to compute the final *md*, *me* values: + +```python +def update_de(d, e, t, M, Mi): + """Multiply matrix t/2^N with [d, e], modulo M.""" + u, v, q, r = t + md, me = 0, 0 + # Compute what multiples of M to add to cd and ce. + if d < 0: + md += u + me += q + if e < 0: + md += v + me += r + # Compute bottom N bits of t*[d,e] + M*[md,me]. + cd, ce = (u*d + v*e + md*M) % 2**N, (q*d + r*e + me*M) % 2**N + # Correct md and me such that the bottom N bits of t*[d,e] + M*[md,me] are zero. + md -= (Mi * cd) % 2**N + me -= (Mi * ce) % 2**N + # Do the full computation. + cd, ce = u*d + v*e + md*M, q*d + r*e + me*M + # And cleanly divide by 2**N. + return cd >> N, ce >> N +``` + +One last optimization: we can avoid the *md M* and *me M* multiplications in the bottom bits of *cd* +and *ce* by moving them to the *md* and *me* correction: + +```python + ... + # Compute bottom N bits of t*[d,e]. + cd, ce = (u*d + v*e) % 2**N, (q*d + r*e) % 2**N + # Correct md and me such that the bottom N bits of t*[d,e]+M*[md,me] are zero. + # Note that this is not the same as {md = (-Mi * cd) % 2**N} etc. That would also result in N + # zero bottom bits, but isn't guaranteed to be a reduction of [0,2^N) compared to the + # previous md and me values, and thus would violate our bounds analysis. + md -= (Mi*cd + md) % 2**N + me -= (Mi*ce + me) % 2**N + ... +``` + +The resulting function takes *d* and *e* in range *(-2M,M)* as inputs, and outputs values in the same +range. That also means that the *d* value at the end of `modinv` will be in that range, while we want +a result in *[0,M)*. To do that, we need a normalization function. It's easy to integrate the +conditional negation of *d* (based on the sign of *f*) into it as well: + +```python +def normalize(sign, v, M): + """Compute sign*v mod M, where v is in range (-2*M,M); output in [0,M).""" + assert sign == 1 or sign == -1 + # v in (-2*M,M) + if v < 0: + v += M + # v in (-M,M). Now multiply v with sign (which can only be 1 or -1). + if sign == -1: + v = -v + # v in (-M,M) + if v < 0: + v += M + # v in [0,M) + return v +``` + +And calling it in `modinv` is simply: + +```python + ... + return normalize(f, d, M) +``` + + +## 5. Constant-time operation + +The primary selling point of the algorithm is fast constant-time operation. What code flow still +depends on the input data so far? + +- the number of iterations of the while *g ≠ 0* loop in `modinv` +- the branches inside `divsteps_n_matrix` +- the sign checks in `update_de` +- the sign checks in `normalize` + +To make the while loop in `modinv` constant time it can be replaced with a constant number of +iterations. The paper proves (Theorem 11.2) that *741* divsteps are sufficient for any *256*-bit +inputs, and [safegcd-bounds](https://github.com/sipa/safegcd-bounds) shows that the slightly better bound *724* is +sufficient even. Given that every loop iteration performs *N* divsteps, it will run a total of +*⌈724/N⌉* times. + +To deal with the branches in `divsteps_n_matrix` we will replace them with constant-time bitwise +operations (and hope the C compiler isn't smart enough to turn them back into branches; see +`valgrind_ctime_test.c` for automated tests that this isn't the case). To do so, observe that a +divstep can be written instead as (compare to the inner loop of `gcd` in section 1). + +```python + x = -f if delta > 0 else f # set x equal to (input) -f or f + if g & 1: + g += x # set g to (input) g-f or g+f + if delta > 0: + delta = -delta + f += g # set f to (input) g (note that g was set to g-f before) + delta += 1 + g >>= 1 +``` + +To convert the above to bitwise operations, we rely on a trick to negate conditionally: per the +definition of negative numbers in two's complement, (*-v == ~v + 1*) holds for every number *v*. As +*-1* in two's complement is all *1* bits, bitflipping can be expressed as xor with *-1*. It follows +that *-v == (v ^ -1) - (-1)*. Thus, if we have a variable *c* that takes on values *0* or *-1*, then +*(v ^ c) - c* is *v* if *c=0* and *-v* if *c=-1*. + +Using this we can write: + +```python + x = -f if delta > 0 else f +``` + +in constant-time form as: + +```python + c1 = (-delta) >> 63 + # Conditionally negate f based on c1: + x = (f ^ c1) - c1 +``` + +To use that trick, we need a helper mask variable *c1* that resolves the condition *δ>0* to *-1* +(if true) or *0* (if false). We compute *c1* using right shifting, which is equivalent to dividing by +the specified power of *2* and rounding down (in Python, and also in C under the assumption of a typical two's complement system; see +`assumptions.h` for tests that this is the case). Right shifting by *63* thus maps all +numbers in range *[-263,0)* to *-1*, and numbers in range *[0,263)* to *0*. + +Using the facts that *x&0=0* and *x&(-1)=x* (on two's complement systems again), we can write: + +```python + if g & 1: + g += x +``` + +as: + +```python + # Compute c2=0 if g is even and c2=-1 if g is odd. + c2 = -(g & 1) + # This masks out x if g is even, and leaves x be if g is odd. + g += x & c2 +``` + +Using the conditional negation trick again we can write: + +```python + if g & 1: + if delta > 0: + delta = -delta +``` + +as: + +```python + # Compute c3=-1 if g is odd and delta>0, and 0 otherwise. + c3 = c1 & c2 + # Conditionally negate delta based on c3: + delta = (delta ^ c3) - c3 +``` + +Finally: + +```python + if g & 1: + if delta > 0: + f += g +``` + +becomes: + +```python + f += g & c3 +``` + +It turns out that this can be implemented more efficiently by applying the substitution +*η=-δ*. In this representation, negating *δ* corresponds to negating *η*, and incrementing +*δ* corresponds to decrementing *η*. This allows us to remove the negation in the *c1* +computation: + +```python + # Compute a mask c1 for eta < 0, and compute the conditional negation x of f: + c1 = eta >> 63 + x = (f ^ c1) - c1 + # Compute a mask c2 for odd g, and conditionally add x to g: + c2 = -(g & 1) + g += x & c2 + # Compute a mask c for (eta < 0) and odd (input) g, and use it to conditionally negate eta, + # and add g to f: + c3 = c1 & c2 + eta = (eta ^ c3) - c3 + f += g & c3 + # Incrementing delta corresponds to decrementing eta. + eta -= 1 + g >>= 1 +``` + +A variant of divsteps with better worst-case performance can be used instead: starting *δ* at +*1/2* instead of *1*. This reduces the worst case number of iterations to *590* for *256*-bit inputs +(which can be shown using convex hull analysis). In this case, the substitution *ζ=-(δ+1/2)* +is used instead to keep the variable integral. Incrementing *δ* by *1* still translates to +decrementing *ζ* by *1*, but negating *δ* now corresponds to going from *ζ* to *-(ζ+1)*, or +*~ζ*. Doing that conditionally based on *c3* is simply: + +```python + ... + c3 = c1 & c2 + zeta ^= c3 + ... +``` + +By replacing the loop in `divsteps_n_matrix` with a variant of the divstep code above (extended to +also apply all *f* operations to *u*, *v* and all *g* operations to *q*, *r*), a constant-time version of +`divsteps_n_matrix` is obtained. The full code will be in section 7. + +These bit fiddling tricks can also be used to make the conditional negations and additions in +`update_de` and `normalize` constant-time. + + +## 6. Variable-time optimizations + +In section 5, we modified the `divsteps_n_matrix` function (and a few others) to be constant time. +Constant time operations are only necessary when computing modular inverses of secret data. In +other cases, it slows down calculations unnecessarily. In this section, we will construct a +faster non-constant time `divsteps_n_matrix` function. + +To do so, first consider yet another way of writing the inner loop of divstep operations in +`gcd` from section 1. This decomposition is also explained in the paper in section 8.2. We use +the original version with initial *δ=1* and *η=-δ* here. + +```python +for _ in range(N): + if g & 1 and eta < 0: + eta, f, g = -eta, g, -f + if g & 1: + g += f + eta -= 1 + g >>= 1 +``` + +Whenever *g* is even, the loop only shifts *g* down and decreases *η*. When *g* ends in multiple zero +bits, these iterations can be consolidated into one step. This requires counting the bottom zero +bits efficiently, which is possible on most platforms; it is abstracted here as the function +`count_trailing_zeros`. + +```python +def count_trailing_zeros(v): + """For a non-zero value v, find z such that v=(d<>= zeros + i -= zeros + if i == 0: + break + # We know g is odd now + if eta < 0: + eta, f, g = -eta, g, -f + g += f + # g is even now, and the eta decrement and g shift will happen in the next loop. +``` + +We can now remove multiple bottom *0* bits from *g* at once, but still need a full iteration whenever +there is a bottom *1* bit. In what follows, we will get rid of multiple *1* bits simultaneously as +well. + +Observe that as long as *η ≥ 0*, the loop does not modify *f*. Instead, it cancels out bottom +bits of *g* and shifts them out, and decreases *η* and *i* accordingly - interrupting only when *η* +becomes negative, or when *i* reaches *0*. Combined, this is equivalent to adding a multiple of *f* to +*g* to cancel out multiple bottom bits, and then shifting them out. + +It is easy to find what that multiple is: we want a number *w* such that *g+w f* has a few bottom +zero bits. If that number of bits is *L*, we want *g+w f mod 2L = 0*, or *w = -g/f mod 2L*. Since *f* +is odd, such a *w* exists for any *L*. *L* cannot be more than *i* steps (as we'd finish the loop before +doing more) or more than *η+1* steps (as we'd run `eta, f, g = -eta, g, f` at that point), but +apart from that, we're only limited by the complexity of computing *w*. + +This code demonstrates how to cancel up to 4 bits per step: + +```python +NEGINV16 = [15, 5, 3, 9, 7, 13, 11, 1] # NEGINV16[n//2] = (-n)^-1 mod 16, for odd n +i = N +while True: + zeros = min(i, count_trailing_zeros(g)) + eta -= zeros + g >>= zeros + i -= zeros + if i == 0: + break + # We know g is odd now + if eta < 0: + eta, f, g = -eta, g, f + # Compute limit on number of bits to cancel + limit = min(min(eta + 1, i), 4) + # Compute w = -g/f mod 2**limit, using the table value for -1/f mod 2**4. Note that f is + # always odd, so its inverse modulo a power of two always exists. + w = (g * NEGINV16[(f & 15) // 2]) % (2**limit) + # As w = -g/f mod (2**limit), g+w*f mod 2**limit = 0 mod 2**limit. + g += w * f + assert g % (2**limit) == 0 + # The next iteration will now shift out at least limit bottom zero bits from g. +``` + +By using a bigger table more bits can be cancelled at once. The table can also be implemented +as a formula. Several formulas are known for computing modular inverses modulo powers of two; +some can be found in Hacker's Delight second edition by Henry S. Warren, Jr. pages 245-247. +Here we need the negated modular inverse, which is a simple transformation of those: + +- Instead of a 3-bit table: + - *-f* or *f ^ 6* +- Instead of a 4-bit table: + - *1 - f(f + 1)* + - *-(f + (((f + 1) & 4) << 1))* +- For larger tables the following technique can be used: if *w=-1/f mod 2L*, then *w(w f+2)* is + *-1/f mod 22L*. This allows extending the previous formulas (or tables). In particular we + have this 6-bit function (based on the 3-bit function above): + - *f(f2 - 2)* + +This loop, again extended to also handle *u*, *v*, *q*, and *r* alongside *f* and *g*, placed in +`divsteps_n_matrix`, gives a significantly faster, but non-constant time version. + + +## 7. Final Python version + +All together we need the following functions: + +- A way to compute the transition matrix in constant time, using the `divsteps_n_matrix` function + from section 2, but with its loop replaced by a variant of the constant-time divstep from + section 5, extended to handle *u*, *v*, *q*, *r*: + +```python +def divsteps_n_matrix(zeta, f, g): + """Compute zeta and transition matrix t after N divsteps (multiplied by 2^N).""" + u, v, q, r = 1, 0, 0, 1 # start with identity matrix + for _ in range(N): + c1 = zeta >> 63 + # Compute x, y, z as conditionally-negated versions of f, u, v. + x, y, z = (f ^ c1) - c1, (u ^ c1) - c1, (v ^ c1) - c1 + c2 = -(g & 1) + # Conditionally add x, y, z to g, q, r. + g, q, r = g + (x & c2), q + (y & c2), r + (z & c2) + c1 &= c2 # reusing c1 here for the earlier c3 variable + zeta = (zeta ^ c1) - 1 # inlining the unconditional zeta decrement here + # Conditionally add g, q, r to f, u, v. + f, u, v = f + (g & c1), u + (q & c1), v + (r & c1) + # When shifting g down, don't shift q, r, as we construct a transition matrix multiplied + # by 2^N. Instead, shift f's coefficients u and v up. + g, u, v = g >> 1, u << 1, v << 1 + return zeta, (u, v, q, r) +``` + +- The functions to update *f* and *g*, and *d* and *e*, from section 2 and section 4, with the constant-time + changes to `update_de` from section 5: + +```python +def update_fg(f, g, t): + """Multiply matrix t/2^N with [f, g].""" + u, v, q, r = t + cf, cg = u*f + v*g, q*f + r*g + return cf >> N, cg >> N + +def update_de(d, e, t, M, Mi): + """Multiply matrix t/2^N with [d, e], modulo M.""" + u, v, q, r = t + d_sign, e_sign = d >> 257, e >> 257 + md, me = (u & d_sign) + (v & e_sign), (q & d_sign) + (r & e_sign) + cd, ce = (u*d + v*e) % 2**N, (q*d + r*e) % 2**N + md -= (Mi*cd + md) % 2**N + me -= (Mi*ce + me) % 2**N + cd, ce = u*d + v*e + M*md, q*d + r*e + M*me + return cd >> N, ce >> N +``` + +- The `normalize` function from section 4, made constant time as well: + +```python +def normalize(sign, v, M): + """Compute sign*v mod M, where v in (-2*M,M); output in [0,M).""" + v_sign = v >> 257 + # Conditionally add M to v. + v += M & v_sign + c = (sign - 1) >> 1 + # Conditionally negate v. + v = (v ^ c) - c + v_sign = v >> 257 + # Conditionally add M to v again. + v += M & v_sign + return v +``` + +- And finally the `modinv` function too, adapted to use *ζ* instead of *δ*, and using the fixed + iteration count from section 5: + +```python +def modinv(M, Mi, x): + """Compute the modular inverse of x mod M, given Mi=1/M mod 2^N.""" + zeta, f, g, d, e = -1, M, x, 0, 1 + for _ in range((590 + N - 1) // N): + zeta, t = divsteps_n_matrix(zeta, f % 2**N, g % 2**N) + f, g = update_fg(f, g, t) + d, e = update_de(d, e, t, M, Mi) + return normalize(f, d, M) +``` + +- To get a variable time version, replace the `divsteps_n_matrix` function with one that uses the + divsteps loop from section 5, and a `modinv` version that calls it without the fixed iteration + count: + +```python +NEGINV16 = [15, 5, 3, 9, 7, 13, 11, 1] # NEGINV16[n//2] = (-n)^-1 mod 16, for odd n +def divsteps_n_matrix_var(eta, f, g): + """Compute eta and transition matrix t after N divsteps (multiplied by 2^N).""" + u, v, q, r = 1, 0, 0, 1 + i = N + while True: + zeros = min(i, count_trailing_zeros(g)) + eta, i = eta - zeros, i - zeros + g, u, v = g >> zeros, u << zeros, v << zeros + if i == 0: + break + if eta < 0: + eta, f, u, v, g, q, r = -eta, g, q, r, -f, -u, -v + limit = min(min(eta + 1, i), 4) + w = (g * NEGINV16[(f & 15) // 2]) % (2**limit) + g, q, r = g + w*f, q + w*u, r + w*v + return eta, (u, v, q, r) + +def modinv_var(M, Mi, x): + """Compute the modular inverse of x mod M, given Mi = 1/M mod 2^N.""" + eta, f, g, d, e = -1, M, x, 0, 1 + while g != 0: + eta, t = divsteps_n_matrix_var(eta, f % 2**N, g % 2**N) + f, g = update_fg(f, g, t) + d, e = update_de(d, e, t, M, Mi) + return normalize(f, d, Mi) +``` diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h index b9306e22..8ecf4224 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h @@ -7,7 +7,9 @@ extern "C" { #include -/* These rules specify the order of arguments in API calls: +/* Unless explicitly stated all pointer arguments must not be NULL. + * + * The following rules specify the order of arguments in API calls: * * 1. Context pointers go first, followed by output arguments, combined * output/input arguments, and finally input-only arguments. @@ -35,13 +37,13 @@ extern "C" { * A constructed context can safely be used from multiple threads * simultaneously, but API calls that take a non-const pointer to a context * need exclusive access to it. In particular this is the case for - * rustsecp256k1zkp_v0_5_0_context_destroy, rustsecp256k1zkp_v0_5_0_context_preallocated_destroy, - * and rustsecp256k1zkp_v0_5_0_context_randomize. + * rustsecp256k1zkp_v0_6_0_context_destroy, rustsecp256k1zkp_v0_6_0_context_preallocated_destroy, + * and rustsecp256k1zkp_v0_6_0_context_randomize. * * Regarding randomization, either do it once at creation time (in which case * you do not need any locking for the other calls), or use a read-write lock. */ -typedef struct rustsecp256k1zkp_v0_5_0_context_struct rustsecp256k1zkp_v0_5_0_context; +typedef struct rustsecp256k1zkp_v0_6_0_context_struct rustsecp256k1zkp_v0_6_0_context; /** Opaque data structure that holds rewriteable "scratch space" * @@ -54,19 +56,20 @@ typedef struct rustsecp256k1zkp_v0_5_0_context_struct rustsecp256k1zkp_v0_5_0_co * Unlike the context object, this cannot safely be shared between threads * without additional synchronization logic. */ -typedef struct rustsecp256k1zkp_v0_5_0_scratch_space_struct rustsecp256k1zkp_v0_5_0_scratch_space; +typedef struct rustsecp256k1zkp_v0_6_0_scratch_space_struct rustsecp256k1zkp_v0_6_0_scratch_space; /** Opaque data structure that holds a parsed and valid public key. * * The exact representation of data inside is implementation defined and not * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. - * If you need to convert to a format suitable for storage, transmission, or - * comparison, use rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize and rustsecp256k1zkp_v0_5_0_ec_pubkey_parse. + * If you need to convert to a format suitable for storage or transmission, + * use rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize and rustsecp256k1zkp_v0_6_0_ec_pubkey_parse. To + * compare keys, use rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_pubkey; +} rustsecp256k1zkp_v0_6_0_pubkey; /** Opaque data structured that holds a parsed ECDSA signature. * @@ -74,12 +77,12 @@ typedef struct { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage, transmission, or - * comparison, use the rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_* and - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_* functions. + * comparison, use the rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_* and + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_* functions. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_ecdsa_signature; +} rustsecp256k1zkp_v0_6_0_ecdsa_signature; /** A pointer to a function to deterministically generate a nonce. * @@ -97,7 +100,7 @@ typedef struct { * Except for test cases, this function should compute some cryptographic hash of * the message, the algorithm, the key and the attempt. */ -typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( +typedef int (*rustsecp256k1zkp_v0_6_0_nonce_function)( unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, @@ -127,6 +130,17 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( # define SECP256K1_INLINE inline # endif +/** When this header is used at build-time the SECP256K1_BUILD define needs to be set + * to correctly setup export attributes and nullness checks. This is normally done + * by secp256k1.c but to guard against this header being included before secp256k1.c + * has had a chance to set the define (e.g. via test harnesses that just includes + * secp256k1.c) we set SECP256K1_NO_BUILD when this header is processed without the + * BUILD define so this condition can be caught. + */ +#ifndef SECP256K1_BUILD +# define SECP256K1_NO_BUILD +#endif + #ifndef SECP256K1_API # if defined(_WIN32) # ifdef SECP256K1_BUILD @@ -165,14 +179,14 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( #define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY (1 << 10) #define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8) -/** Flags to pass to rustsecp256k1zkp_v0_5_0_context_create, rustsecp256k1zkp_v0_5_0_context_preallocated_size, and - * rustsecp256k1zkp_v0_5_0_context_preallocated_create. */ +/** Flags to pass to rustsecp256k1zkp_v0_6_0_context_create, rustsecp256k1zkp_v0_6_0_context_preallocated_size, and + * rustsecp256k1zkp_v0_6_0_context_preallocated_create. */ #define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) #define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN) #define SECP256K1_CONTEXT_DECLASSIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY) #define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT) -/** Flag to pass to rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize. */ +/** Flag to pass to rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize. */ #define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION) #define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION) @@ -188,25 +202,25 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( * API consistency, but currently do not require expensive precomputations or dynamic * allocations. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_context *rustsecp256k1zkp_v0_5_0_context_no_precomp; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_context *rustsecp256k1zkp_v0_6_0_context_no_precomp; /** Create a secp256k1 context object (in dynamically allocated memory). * * This function uses malloc to allocate memory. It is guaranteed that malloc is * called at most once for every call of this function. If you need to avoid dynamic - * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_5_0_preallocated.h. + * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_6_0_preallocated.h. * * Returns: a newly created context object. * In: flags: which parts of the context to initialize. * - * See also rustsecp256k1zkp_v0_5_0_context_randomize. + * See also rustsecp256k1zkp_v0_6_0_context_randomize. */ /** Copy a secp256k1 context object (into dynamically allocated memory). * * This function uses malloc to allocate memory. It is guaranteed that malloc is * called at most once for every call of this function. If you need to avoid dynamic - * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_5_0_preallocated.h. + * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_6_0_preallocated.h. * * Returns: a newly created context object. * Args: ctx: an existing context to copy (cannot be NULL) @@ -216,14 +230,14 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_context *rustsecp256k1zkp_v0_ * * The context pointer may not be used afterwards. * - * The context to destroy must have been created using rustsecp256k1zkp_v0_5_0_context_create - * or rustsecp256k1zkp_v0_5_0_context_clone. If the context has instead been created using - * rustsecp256k1zkp_v0_5_0_context_preallocated_create or rustsecp256k1zkp_v0_5_0_context_preallocated_clone, the - * behaviour is undefined. In that case, rustsecp256k1zkp_v0_5_0_context_preallocated_destroy must + * The context to destroy must have been created using rustsecp256k1zkp_v0_6_0_context_create + * or rustsecp256k1zkp_v0_6_0_context_clone. If the context has instead been created using + * rustsecp256k1zkp_v0_6_0_context_preallocated_create or rustsecp256k1zkp_v0_6_0_context_preallocated_clone, the + * behaviour is undefined. In that case, rustsecp256k1zkp_v0_6_0_context_preallocated_destroy must * be used instead. * * Args: ctx: an existing context to destroy, constructed using - * rustsecp256k1zkp_v0_5_0_context_create or rustsecp256k1zkp_v0_5_0_context_clone + * rustsecp256k1zkp_v0_6_0_context_create or rustsecp256k1zkp_v0_6_0_context_clone */ /** Set a callback function to be called when an illegal argument is passed to @@ -247,11 +261,11 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_context *rustsecp256k1zkp_v0_ * USE_EXTERNAL_DEFAULT_CALLBACKS is defined, which is the case if the build * has been configured with --enable-external-default-callbacks. Then the * following two symbols must be provided to link against: - * - void rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn(const char* message, void* data); - * - void rustsecp256k1zkp_v0_5_0_default_error_callback_fn(const char* message, void* data); + * - void rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn(const char* message, void* data); + * - void rustsecp256k1zkp_v0_6_0_default_error_callback_fn(const char* message, void* data); * The library can call these default handlers even before a proper callback data - * pointer could have been set using rustsecp256k1zkp_v0_5_0_context_set_illegal_callback or - * rustsecp256k1zkp_v0_5_0_context_set_error_callback, e.g., when the creation of a context + * pointer could have been set using rustsecp256k1zkp_v0_6_0_context_set_illegal_callback or + * rustsecp256k1zkp_v0_6_0_context_set_error_callback, e.g., when the creation of a context * fails. In this case, the corresponding default handler will be called with * the data pointer argument set to NULL. * @@ -261,10 +275,10 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_context *rustsecp256k1zkp_v0_ * (NULL restores the default handler.) * data: the opaque pointer to pass to fun above. * - * See also rustsecp256k1zkp_v0_5_0_context_set_error_callback. + * See also rustsecp256k1zkp_v0_6_0_context_set_error_callback. */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_illegal_callback( - rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API void rustsecp256k1zkp_v0_6_0_context_set_illegal_callback( + rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data ) SECP256K1_ARG_NONNULL(1); @@ -275,21 +289,21 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_illegal_callback( * This can only trigger in case of a hardware failure, miscompilation, * memory corruption, serious bug in the library, or other error would can * otherwise result in undefined behaviour. It will not trigger due to mere - * incorrect usage of the API (see rustsecp256k1zkp_v0_5_0_context_set_illegal_callback + * incorrect usage of the API (see rustsecp256k1zkp_v0_6_0_context_set_illegal_callback * for that). After this callback returns, anything may happen, including * crashing. * * Args: ctx: an existing context object (cannot be NULL) * In: fun: a pointer to a function to call when an internal error occurs, * taking a message and an opaque pointer (NULL restores the - * default handler, see rustsecp256k1zkp_v0_5_0_context_set_illegal_callback + * default handler, see rustsecp256k1zkp_v0_6_0_context_set_illegal_callback * for details). * data: the opaque pointer to pass to fun above. * - * See also rustsecp256k1zkp_v0_5_0_context_set_illegal_callback. + * See also rustsecp256k1zkp_v0_6_0_context_set_illegal_callback. */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_error_callback( - rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API void rustsecp256k1zkp_v0_6_0_context_set_error_callback( + rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data ) SECP256K1_ARG_NONNULL(1); @@ -323,9 +337,9 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_error_callback( * 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header * byte 0x06 or 0x07) format public keys. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey* pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey* pubkey, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -340,19 +354,34 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * In/Out: outputlen: a pointer to an integer which is initially set to the * size of output, and is overwritten with the written * size. - * In: pubkey: a pointer to a rustsecp256k1zkp_v0_5_0_pubkey containing an + * In: pubkey: a pointer to a rustsecp256k1zkp_v0_6_0_pubkey containing an * initialized public key. * flags: SECP256K1_EC_COMPRESSED if serialization should be in * compressed format, otherwise SECP256K1_EC_UNCOMPRESSED. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, - const rustsecp256k1zkp_v0_5_0_pubkey* pubkey, + const rustsecp256k1zkp_v0_6_0_pubkey* pubkey, unsigned int flags ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); +/** Compare two public keys using lexicographic (of compressed serialization) order + * + * Returns: <0 if the first public key is less than the second + * >0 if the first public key is greater than the second + * 0 if the two public keys are equal + * Args: ctx: a secp256k1 context object. + * In: pubkey1: first public key to compare + * pubkey2: second public key to compare + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_pubkey* pubkey1, + const rustsecp256k1zkp_v0_6_0_pubkey* pubkey2 +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + /** Parse an ECDSA signature in compact (64 bytes) format. * * Returns: 1 when the signature could be parsed, 0 otherwise. @@ -368,9 +397,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize( * S are zero, the resulting sig value is guaranteed to fail validation for any * message and public key. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input64 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -389,9 +418,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact( * encoded numbers are out of range, signature validation with it is * guaranteed to fail for every message and public key. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -407,11 +436,11 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der( * if 0 was returned). * In: sig: a pointer to an initialized signature object */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig + const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Serialize an ECDSA signature in compact (64 byte) format. @@ -421,12 +450,12 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der( * Out: output64: a pointer to a 64-byte array to store the compact serialization * In: sig: a pointer to an initialized signature object * - * See rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact for details about the encoding. + * See rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact for details about the encoding. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output64, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig + const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Verify an ECDSA signature. @@ -449,16 +478,16 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact( * form are accepted. * * If you need to accept ECDSA signatures from sources that do not obey this - * rule, apply rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize to the signature prior to + * rule, apply rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize to the signature prior to * validation, but be aware that doing so results in malleable signatures. * * For details, see the comments for that function. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ecdsa_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msghash32, - const rustsecp256k1zkp_v0_5_0_pubkey *pubkey + const rustsecp256k1zkp_v0_6_0_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Convert a signature to a normalized lower-S form. @@ -498,25 +527,25 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_ver * accept various non-unique encodings, so care should be taken when this * property is required for an application. * - * The rustsecp256k1zkp_v0_5_0_ecdsa_sign function will by default create signatures in the - * lower-S form, and rustsecp256k1zkp_v0_5_0_ecdsa_verify will not accept others. In case + * The rustsecp256k1zkp_v0_6_0_ecdsa_sign function will by default create signatures in the + * lower-S form, and rustsecp256k1zkp_v0_6_0_ecdsa_verify will not accept others. In case * signatures come from a system that cannot enforce this property, - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize must be called before verification. + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize must be called before verification. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigout, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigin +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigout, + const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigin ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3); /** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of * extra entropy. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_rfc6979; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_rfc6979; -/** A default safe nonce generation function (currently equal to rustsecp256k1zkp_v0_5_0_nonce_function_rfc6979). */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_default; +/** A default safe nonce generation function (currently equal to rustsecp256k1zkp_v0_6_0_nonce_function_rfc6979). */ +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_default; /** Create an ECDSA signature. * @@ -526,18 +555,18 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1z * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) * In: msghash32: the 32-byte message hash being signed (cannot be NULL) * seckey: pointer to a 32-byte secret key (cannot be NULL) - * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_5_0_nonce_function_default is used + * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_6_0_nonce_function_default is used * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) * * The created signature is always in lower-S form. See - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize for more details. + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize for more details. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, - rustsecp256k1zkp_v0_5_0_nonce_function noncefp, + rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -553,8 +582,8 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_sign( * Args: ctx: pointer to a context object (cannot be NULL) * In: seckey: pointer to a 32-byte secret key (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); @@ -566,32 +595,32 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey * Out: pubkey: pointer to the created public key (cannot be NULL) * In: seckey: pointer to a 32-byte secret key (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_create( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_create( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Negates a secret key in place. * * Returns: 0 if the given secret key is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify. 1 otherwise + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify. 1 otherwise * Args: ctx: pointer to a context object * In/Out: seckey: pointer to the 32-byte secret key to be negated. If the * secret key is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0 and + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0 and * seckey will be set to some unspecified value. (cannot be * NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_negate( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_negate( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); -/** Same as rustsecp256k1zkp_v0_5_0_ec_seckey_negate, but DEPRECATED. Will be removed in +/** Same as rustsecp256k1zkp_v0_6_0_ec_seckey_negate, but DEPRECATED. Will be removed in * future versions. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privkey_negate( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_privkey_negate( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); @@ -601,9 +630,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privke * Args: ctx: pointer to a context object * In/Out: pubkey: pointer to the public key to be negated (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_negate( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_negate( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); /** Tweak a secret key by adding tweak to it. @@ -613,24 +642,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * otherwise. * Args: ctx: pointer to a context object (cannot be NULL). * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is - * invalid according to rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this + * invalid according to rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this * function returns 0. seckey will be set to some unspecified * value if this function returns 0. (cannot be NULL) * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Same as rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add, but DEPRECATED. Will be removed in +/** Same as rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add, but DEPRECATED. Will be removed in * future versions. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -645,13 +674,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privke * In/Out: pubkey: pointer to a public key object. pubkey will be set to an * invalid value if this function returns 0 (cannot be NULL). * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -660,24 +689,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * Returns: 0 if the arguments are invalid. 1 otherwise. * Args: ctx: pointer to a context object (cannot be NULL). * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is - * invalid according to rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this + * invalid according to rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this * function returns 0. seckey will be set to some unspecified * value if this function returns 0. (cannot be NULL) * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Same as rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in +/** Same as rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in * future versions. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_mul( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_mul( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -690,13 +719,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privke * In/Out: pubkey: pointer to a public key object. pubkey will be set to an * invalid value if this function returns 0 (cannot be NULL). * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -721,12 +750,12 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * guaranteed and may change in the future. It is safe to call this function on * contexts not initialized for signing; then it will have no effect and return 1. * - * You should call this after rustsecp256k1zkp_v0_5_0_context_create or - * rustsecp256k1zkp_v0_5_0_context_clone (and rustsecp256k1zkp_v0_5_0_context_preallocated_create or - * rustsecp256k1zkp_v0_5_0_context_clone, resp.), and you may call this repeatedly afterwards. + * You should call this after rustsecp256k1zkp_v0_6_0_context_create or + * rustsecp256k1zkp_v0_6_0_context_clone (and rustsecp256k1zkp_v0_6_0_context_preallocated_create or + * rustsecp256k1zkp_v0_6_0_context_clone, resp.), and you may call this repeatedly afterwards. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_context_randomize( - rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_context_randomize( + rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seed32 ) SECP256K1_ARG_NONNULL(1); @@ -740,10 +769,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_context_r * In: ins: pointer to array of pointers to public keys (cannot be NULL) * n: the number of public keys to add together (must be at least 1) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_combine( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *out, - const rustsecp256k1zkp_v0_5_0_pubkey * const * ins, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_combine( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *out, + const rustsecp256k1zkp_v0_6_0_pubkey * const * ins, size_t n ) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h.orig b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h.orig index 27a9d9fb..876fc794 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h.orig +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1.h.orig @@ -7,7 +7,9 @@ extern "C" { #include -/* These rules specify the order of arguments in API calls: +/* Unless explicitly stated all pointer arguments must not be NULL. + * + * The following rules specify the order of arguments in API calls: * * 1. Context pointers go first, followed by output arguments, combined * output/input arguments, and finally input-only arguments. @@ -35,13 +37,13 @@ extern "C" { * A constructed context can safely be used from multiple threads * simultaneously, but API calls that take a non-const pointer to a context * need exclusive access to it. In particular this is the case for - * rustsecp256k1zkp_v0_5_0_context_destroy, rustsecp256k1zkp_v0_5_0_context_preallocated_destroy, - * and rustsecp256k1zkp_v0_5_0_context_randomize. + * rustsecp256k1zkp_v0_6_0_context_destroy, rustsecp256k1zkp_v0_6_0_context_preallocated_destroy, + * and rustsecp256k1zkp_v0_6_0_context_randomize. * * Regarding randomization, either do it once at creation time (in which case * you do not need any locking for the other calls), or use a read-write lock. */ -typedef struct rustsecp256k1zkp_v0_5_0_context_struct rustsecp256k1zkp_v0_5_0_context; +typedef struct rustsecp256k1zkp_v0_6_0_context_struct rustsecp256k1zkp_v0_6_0_context; /** Opaque data structure that holds rewriteable "scratch space" * @@ -54,19 +56,20 @@ typedef struct rustsecp256k1zkp_v0_5_0_context_struct rustsecp256k1zkp_v0_5_0_co * Unlike the context object, this cannot safely be shared between threads * without additional synchronization logic. */ -typedef struct rustsecp256k1zkp_v0_5_0_scratch_space_struct rustsecp256k1zkp_v0_5_0_scratch_space; +typedef struct rustsecp256k1zkp_v0_6_0_scratch_space_struct rustsecp256k1zkp_v0_6_0_scratch_space; /** Opaque data structure that holds a parsed and valid public key. * * The exact representation of data inside is implementation defined and not * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. - * If you need to convert to a format suitable for storage, transmission, or - * comparison, use rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize and rustsecp256k1zkp_v0_5_0_ec_pubkey_parse. + * If you need to convert to a format suitable for storage or transmission, + * use rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize and rustsecp256k1zkp_v0_6_0_ec_pubkey_parse. To + * compare keys, use rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_pubkey; +} rustsecp256k1zkp_v0_6_0_pubkey; /** Opaque data structured that holds a parsed ECDSA signature. * @@ -74,12 +77,12 @@ typedef struct { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage, transmission, or - * comparison, use the rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_* and - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_* functions. + * comparison, use the rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_* and + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_* functions. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_ecdsa_signature; +} rustsecp256k1zkp_v0_6_0_ecdsa_signature; /** A pointer to a function to deterministically generate a nonce. * @@ -97,7 +100,7 @@ typedef struct { * Except for test cases, this function should compute some cryptographic hash of * the message, the algorithm, the key and the attempt. */ -typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( +typedef int (*rustsecp256k1zkp_v0_6_0_nonce_function)( unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, @@ -127,6 +130,17 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( # define SECP256K1_INLINE inline # endif +/** When this header is used at build-time the SECP256K1_BUILD define needs to be set + * to correctly setup export attributes and nullness checks. This is normally done + * by secp256k1.c but to guard against this header being included before secp256k1.c + * has had a chance to set the define (e.g. via test harnesses that just includes + * secp256k1.c) we set SECP256K1_NO_BUILD when this header is processed without the + * BUILD define so this condition can be caught. + */ +#ifndef SECP256K1_BUILD +# define SECP256K1_NO_BUILD +#endif + #ifndef SECP256K1_API # if defined(_WIN32) # ifdef SECP256K1_BUILD @@ -165,14 +179,14 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( #define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY (1 << 10) #define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8) -/** Flags to pass to rustsecp256k1zkp_v0_5_0_context_create, rustsecp256k1zkp_v0_5_0_context_preallocated_size, and - * rustsecp256k1zkp_v0_5_0_context_preallocated_create. */ +/** Flags to pass to rustsecp256k1zkp_v0_6_0_context_create, rustsecp256k1zkp_v0_6_0_context_preallocated_size, and + * rustsecp256k1zkp_v0_6_0_context_preallocated_create. */ #define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) #define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN) #define SECP256K1_CONTEXT_DECLASSIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY) #define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT) -/** Flag to pass to rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize. */ +/** Flag to pass to rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize. */ #define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION) #define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION) @@ -188,20 +202,20 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function)( * API consistency, but currently do not require expensive precomputations or dynamic * allocations. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_context *rustsecp256k1zkp_v0_5_0_context_no_precomp; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_context *rustsecp256k1zkp_v0_6_0_context_no_precomp; /** Create a secp256k1 context object (in dynamically allocated memory). * * This function uses malloc to allocate memory. It is guaranteed that malloc is * called at most once for every call of this function. If you need to avoid dynamic - * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_5_0_preallocated.h. + * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_6_0_preallocated.h. * * Returns: a newly created context object. * In: flags: which parts of the context to initialize. * - * See also rustsecp256k1zkp_v0_5_0_context_randomize. + * See also rustsecp256k1zkp_v0_6_0_context_randomize. */ -SECP256K1_API rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_create( +SECP256K1_API rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_create( unsigned int flags ) SECP256K1_WARN_UNUSED_RESULT; @@ -209,30 +223,30 @@ SECP256K1_API rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_c * * This function uses malloc to allocate memory. It is guaranteed that malloc is * called at most once for every call of this function. If you need to avoid dynamic - * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_5_0_preallocated.h. + * memory allocation entirely, see the functions in rustsecp256k1zkp_v0_6_0_preallocated.h. * * Returns: a newly created context object. * Args: ctx: an existing context to copy (cannot be NULL) */ -SECP256K1_API rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_clone( - const rustsecp256k1zkp_v0_5_0_context* ctx +SECP256K1_API rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_clone( + const rustsecp256k1zkp_v0_6_0_context* ctx ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT; /** Destroy a secp256k1 context object (created in dynamically allocated memory). * * The context pointer may not be used afterwards. * - * The context to destroy must have been created using rustsecp256k1zkp_v0_5_0_context_create - * or rustsecp256k1zkp_v0_5_0_context_clone. If the context has instead been created using - * rustsecp256k1zkp_v0_5_0_context_preallocated_create or rustsecp256k1zkp_v0_5_0_context_preallocated_clone, the - * behaviour is undefined. In that case, rustsecp256k1zkp_v0_5_0_context_preallocated_destroy must + * The context to destroy must have been created using rustsecp256k1zkp_v0_6_0_context_create + * or rustsecp256k1zkp_v0_6_0_context_clone. If the context has instead been created using + * rustsecp256k1zkp_v0_6_0_context_preallocated_create or rustsecp256k1zkp_v0_6_0_context_preallocated_clone, the + * behaviour is undefined. In that case, rustsecp256k1zkp_v0_6_0_context_preallocated_destroy must * be used instead. * * Args: ctx: an existing context to destroy, constructed using - * rustsecp256k1zkp_v0_5_0_context_create or rustsecp256k1zkp_v0_5_0_context_clone + * rustsecp256k1zkp_v0_6_0_context_create or rustsecp256k1zkp_v0_6_0_context_clone */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_destroy( - rustsecp256k1zkp_v0_5_0_context* ctx +SECP256K1_API void rustsecp256k1zkp_v0_6_0_context_destroy( + rustsecp256k1zkp_v0_6_0_context* ctx ); /** Set a callback function to be called when an illegal argument is passed to @@ -256,11 +270,11 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_destroy( * USE_EXTERNAL_DEFAULT_CALLBACKS is defined, which is the case if the build * has been configured with --enable-external-default-callbacks. Then the * following two symbols must be provided to link against: - * - void rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn(const char* message, void* data); - * - void rustsecp256k1zkp_v0_5_0_default_error_callback_fn(const char* message, void* data); + * - void rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn(const char* message, void* data); + * - void rustsecp256k1zkp_v0_6_0_default_error_callback_fn(const char* message, void* data); * The library can call these default handlers even before a proper callback data - * pointer could have been set using rustsecp256k1zkp_v0_5_0_context_set_illegal_callback or - * rustsecp256k1zkp_v0_5_0_context_set_error_callback, e.g., when the creation of a context + * pointer could have been set using rustsecp256k1zkp_v0_6_0_context_set_illegal_callback or + * rustsecp256k1zkp_v0_6_0_context_set_error_callback, e.g., when the creation of a context * fails. In this case, the corresponding default handler will be called with * the data pointer argument set to NULL. * @@ -270,10 +284,10 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_destroy( * (NULL restores the default handler.) * data: the opaque pointer to pass to fun above. * - * See also rustsecp256k1zkp_v0_5_0_context_set_error_callback. + * See also rustsecp256k1zkp_v0_6_0_context_set_error_callback. */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_illegal_callback( - rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API void rustsecp256k1zkp_v0_6_0_context_set_illegal_callback( + rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data ) SECP256K1_ARG_NONNULL(1); @@ -284,21 +298,21 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_illegal_callback( * This can only trigger in case of a hardware failure, miscompilation, * memory corruption, serious bug in the library, or other error would can * otherwise result in undefined behaviour. It will not trigger due to mere - * incorrect usage of the API (see rustsecp256k1zkp_v0_5_0_context_set_illegal_callback + * incorrect usage of the API (see rustsecp256k1zkp_v0_6_0_context_set_illegal_callback * for that). After this callback returns, anything may happen, including * crashing. * * Args: ctx: an existing context object (cannot be NULL) * In: fun: a pointer to a function to call when an internal error occurs, * taking a message and an opaque pointer (NULL restores the - * default handler, see rustsecp256k1zkp_v0_5_0_context_set_illegal_callback + * default handler, see rustsecp256k1zkp_v0_6_0_context_set_illegal_callback * for details). * data: the opaque pointer to pass to fun above. * - * See also rustsecp256k1zkp_v0_5_0_context_set_illegal_callback. + * See also rustsecp256k1zkp_v0_6_0_context_set_illegal_callback. */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_error_callback( - rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API void rustsecp256k1zkp_v0_6_0_context_set_error_callback( + rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data ) SECP256K1_ARG_NONNULL(1); @@ -310,8 +324,8 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_set_error_callback( * In: size: amount of memory to be available as scratch space. Some extra * (<100 bytes) will be allocated for extra accounting. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT rustsecp256k1zkp_v0_5_0_scratch_space* rustsecp256k1zkp_v0_5_0_scratch_space_create( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT rustsecp256k1zkp_v0_6_0_scratch_space* rustsecp256k1zkp_v0_6_0_scratch_space_create( + const rustsecp256k1zkp_v0_6_0_context* ctx, size_t size ) SECP256K1_ARG_NONNULL(1); @@ -321,9 +335,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT rustsecp256k1zkp_v0_5_0_scratch_space * Args: ctx: a secp256k1 context object. * scratch: space to destroy */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_scratch_space_destroy( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_scratch_space* scratch +SECP256K1_API void rustsecp256k1zkp_v0_6_0_scratch_space_destroy( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_scratch_space* scratch ) SECP256K1_ARG_NONNULL(1); /** Parse a variable-length public key into the pubkey object. @@ -340,9 +354,9 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_scratch_space_destroy( * 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header * byte 0x06 or 0x07) format public keys. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey* pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey* pubkey, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -357,19 +371,34 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * In/Out: outputlen: a pointer to an integer which is initially set to the * size of output, and is overwritten with the written * size. - * In: pubkey: a pointer to a rustsecp256k1zkp_v0_5_0_pubkey containing an + * In: pubkey: a pointer to a rustsecp256k1zkp_v0_6_0_pubkey containing an * initialized public key. * flags: SECP256K1_EC_COMPRESSED if serialization should be in * compressed format, otherwise SECP256K1_EC_UNCOMPRESSED. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, - const rustsecp256k1zkp_v0_5_0_pubkey* pubkey, + const rustsecp256k1zkp_v0_6_0_pubkey* pubkey, unsigned int flags ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); +/** Compare two public keys using lexicographic (of compressed serialization) order + * + * Returns: <0 if the first public key is less than the second + * >0 if the first public key is greater than the second + * 0 if the two public keys are equal + * Args: ctx: a secp256k1 context object. + * In: pubkey1: first public key to compare + * pubkey2: second public key to compare + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_pubkey* pubkey1, + const rustsecp256k1zkp_v0_6_0_pubkey* pubkey2 +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + /** Parse an ECDSA signature in compact (64 bytes) format. * * Returns: 1 when the signature could be parsed, 0 otherwise. @@ -385,9 +414,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize( * S are zero, the resulting sig value is guaranteed to fail validation for any * message and public key. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input64 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -406,9 +435,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact( * encoded numbers are out of range, signature validation with it is * guaranteed to fail for every message and public key. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -424,11 +453,11 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der( * if 0 was returned). * In: sig: a pointer to an initialized signature object */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig + const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Serialize an ECDSA signature in compact (64 byte) format. @@ -438,12 +467,12 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der( * Out: output64: a pointer to a 64-byte array to store the compact serialization * In: sig: a pointer to an initialized signature object * - * See rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact for details about the encoding. + * See rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact for details about the encoding. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output64, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig + const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Verify an ECDSA signature. @@ -466,16 +495,16 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact( * form are accepted. * * If you need to accept ECDSA signatures from sources that do not obey this - * rule, apply rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize to the signature prior to + * rule, apply rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize to the signature prior to * validation, but be aware that doing so results in malleable signatures. * * For details, see the comments for that function. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ecdsa_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msghash32, - const rustsecp256k1zkp_v0_5_0_pubkey *pubkey + const rustsecp256k1zkp_v0_6_0_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Convert a signature to a normalized lower-S form. @@ -515,25 +544,25 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_ver * accept various non-unique encodings, so care should be taken when this * property is required for an application. * - * The rustsecp256k1zkp_v0_5_0_ecdsa_sign function will by default create signatures in the - * lower-S form, and rustsecp256k1zkp_v0_5_0_ecdsa_verify will not accept others. In case + * The rustsecp256k1zkp_v0_6_0_ecdsa_sign function will by default create signatures in the + * lower-S form, and rustsecp256k1zkp_v0_6_0_ecdsa_verify will not accept others. In case * signatures come from a system that cannot enforce this property, - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize must be called before verification. + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize must be called before verification. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigout, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigin +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigout, + const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigin ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3); /** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of * extra entropy. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_rfc6979; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_rfc6979; -/** A default safe nonce generation function (currently equal to rustsecp256k1zkp_v0_5_0_nonce_function_rfc6979). */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_default; +/** A default safe nonce generation function (currently equal to rustsecp256k1zkp_v0_6_0_nonce_function_rfc6979). */ +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_default; /** Create an ECDSA signature. * @@ -543,18 +572,18 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1z * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) * In: msghash32: the 32-byte message hash being signed (cannot be NULL) * seckey: pointer to a 32-byte secret key (cannot be NULL) - * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_5_0_nonce_function_default is used + * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_6_0_nonce_function_default is used * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) * * The created signature is always in lower-S form. See - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize for more details. + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize for more details. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, - rustsecp256k1zkp_v0_5_0_nonce_function noncefp, + rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -570,8 +599,8 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_sign( * Args: ctx: pointer to a context object (cannot be NULL) * In: seckey: pointer to a 32-byte secret key (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); @@ -583,32 +612,32 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey * Out: pubkey: pointer to the created public key (cannot be NULL) * In: seckey: pointer to a 32-byte secret key (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_create( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_create( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Negates a secret key in place. * * Returns: 0 if the given secret key is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify. 1 otherwise + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify. 1 otherwise * Args: ctx: pointer to a context object * In/Out: seckey: pointer to the 32-byte secret key to be negated. If the * secret key is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0 and + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0 and * seckey will be set to some unspecified value. (cannot be * NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_negate( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_negate( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); -/** Same as rustsecp256k1zkp_v0_5_0_ec_seckey_negate, but DEPRECATED. Will be removed in +/** Same as rustsecp256k1zkp_v0_6_0_ec_seckey_negate, but DEPRECATED. Will be removed in * future versions. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privkey_negate( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_privkey_negate( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); @@ -618,9 +647,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privke * Args: ctx: pointer to a context object * In/Out: pubkey: pointer to the public key to be negated (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_negate( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_negate( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); /** Tweak a secret key by adding tweak to it. @@ -630,24 +659,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * otherwise. * Args: ctx: pointer to a context object (cannot be NULL). * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is - * invalid according to rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this + * invalid according to rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this * function returns 0. seckey will be set to some unspecified * value if this function returns 0. (cannot be NULL) * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Same as rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add, but DEPRECATED. Will be removed in +/** Same as rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add, but DEPRECATED. Will be removed in * future versions. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -662,13 +691,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privke * In/Out: pubkey: pointer to a public key object. pubkey will be set to an * invalid value if this function returns 0 (cannot be NULL). * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -677,24 +706,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * Returns: 0 if the arguments are invalid. 1 otherwise. * Args: ctx: pointer to a context object (cannot be NULL). * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is - * invalid according to rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this + * invalid according to rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this * function returns 0. seckey will be set to some unspecified * value if this function returns 0. (cannot be NULL) * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Same as rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in +/** Same as rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in * future versions. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_mul( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_mul( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -707,13 +736,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_privke * In/Out: pubkey: pointer to a public key object. pubkey will be set to an * invalid value if this function returns 0 (cannot be NULL). * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according to - * rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -738,12 +767,12 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey * guaranteed and may change in the future. It is safe to call this function on * contexts not initialized for signing; then it will have no effect and return 1. * - * You should call this after rustsecp256k1zkp_v0_5_0_context_create or - * rustsecp256k1zkp_v0_5_0_context_clone (and rustsecp256k1zkp_v0_5_0_context_preallocated_create or - * rustsecp256k1zkp_v0_5_0_context_clone, resp.), and you may call this repeatedly afterwards. + * You should call this after rustsecp256k1zkp_v0_6_0_context_create or + * rustsecp256k1zkp_v0_6_0_context_clone (and rustsecp256k1zkp_v0_6_0_context_preallocated_create or + * rustsecp256k1zkp_v0_6_0_context_clone, resp.), and you may call this repeatedly afterwards. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_context_randomize( - rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_context_randomize( + rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seed32 ) SECP256K1_ARG_NONNULL(1); @@ -757,10 +786,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_context_r * In: ins: pointer to array of pointers to public keys (cannot be NULL) * n: the number of public keys to add together (must be at least 1) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ec_pubkey_combine( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *out, - const rustsecp256k1zkp_v0_5_0_pubkey * const * ins, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ec_pubkey_combine( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *out, + const rustsecp256k1zkp_v0_6_0_pubkey * const * ins, size_t n ) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdh.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdh.h index b3c7b403..d0a17cc6 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdh.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdh.h @@ -10,15 +10,15 @@ extern "C" { /** A pointer to a function that hashes an EC point to obtain an ECDH secret * * Returns: 1 if the point was successfully hashed. - * 0 will cause rustsecp256k1zkp_v0_5_0_ecdh to fail and return 0. + * 0 will cause rustsecp256k1zkp_v0_6_0_ecdh to fail and return 0. * Other return values are not allowed, and the behaviour of - * rustsecp256k1zkp_v0_5_0_ecdh is undefined for other return values. + * rustsecp256k1zkp_v0_6_0_ecdh is undefined for other return values. * Out: output: pointer to an array to be filled by the function * In: x32: pointer to a 32-byte x coordinate * y32: pointer to a 32-byte y coordinate * data: arbitrary data pointer that is passed through */ -typedef int (*rustsecp256k1zkp_v0_5_0_ecdh_hash_function)( +typedef int (*rustsecp256k1zkp_v0_6_0_ecdh_hash_function)( unsigned char *output, const unsigned char *x32, const unsigned char *y32, @@ -27,11 +27,11 @@ typedef int (*rustsecp256k1zkp_v0_5_0_ecdh_hash_function)( /** An implementation of SHA256 hash function that applies to compressed public key. * Populates the output parameter with 32 bytes. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_ecdh_hash_function rustsecp256k1zkp_v0_5_0_ecdh_hash_function_sha256; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_ecdh_hash_function rustsecp256k1zkp_v0_6_0_ecdh_hash_function_sha256; -/** A default ECDH hash function (currently equal to rustsecp256k1zkp_v0_5_0_ecdh_hash_function_sha256). +/** A default ECDH hash function (currently equal to rustsecp256k1zkp_v0_6_0_ecdh_hash_function_sha256). * Populates the output parameter with 32 bytes. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_ecdh_hash_function rustsecp256k1zkp_v0_5_0_ecdh_hash_function_default; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_ecdh_hash_function rustsecp256k1zkp_v0_6_0_ecdh_hash_function_default; /** Compute an EC Diffie-Hellman secret in constant time * @@ -39,19 +39,19 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_ecdh_hash_function rustsecp25 * 0: scalar was invalid (zero or overflow) or hashfp returned 0 * Args: ctx: pointer to a context object (cannot be NULL) * Out: output: pointer to an array to be filled by hashfp - * In: pubkey: a pointer to a rustsecp256k1zkp_v0_5_0_pubkey containing an + * In: pubkey: a pointer to a rustsecp256k1zkp_v0_6_0_pubkey containing an * initialized public key * seckey: a 32-byte scalar with which to multiply the point - * hashfp: pointer to a hash function. If NULL, rustsecp256k1zkp_v0_5_0_ecdh_hash_function_sha256 is used + * hashfp: pointer to a hash function. If NULL, rustsecp256k1zkp_v0_6_0_ecdh_hash_function_sha256 is used * (in which case, 32 bytes will be written to output) * data: arbitrary data pointer that is passed through to hashfp */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdh( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ecdh( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, - const rustsecp256k1zkp_v0_5_0_pubkey *pubkey, + const rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *seckey, - rustsecp256k1zkp_v0_5_0_ecdh_hash_function hashfp, + rustsecp256k1zkp_v0_6_0_ecdh_hash_function hashfp, void *data ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_adaptor.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_adaptor.h index 14065436..eb76ffa6 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_adaptor.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_adaptor.h @@ -29,7 +29,7 @@ extern "C" { /** A pointer to a function to deterministically generate a nonce. * - * Same as rustsecp256k1zkp_v0_5_0_nonce_function_hardened with the exception of using the + * Same as rustsecp256k1zkp_v0_6_0_nonce_function_hardened with the exception of using the * compressed 33-byte encoding for the pubkey argument. * * Returns: 1 if a nonce was successfully generated. 0 will cause signing to @@ -45,7 +45,7 @@ extern "C" { * Except for test cases, this function should compute some cryptographic hash of * the message, the key, the pubkey, the algorithm description, and data. */ -typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor)( +typedef int (*rustsecp256k1zkp_v0_6_0_nonce_function_hardened_ecdsa_adaptor)( unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, @@ -59,7 +59,7 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor)( * assumed to be a pointer to 32 bytes of auxiliary random data as defined in BIP-340. * The hash will be tagged with algo after removing all terminating null bytes. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_nonce_function_hardened_ecdsa_adaptor rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor; /** Encrypted Signing * @@ -76,20 +76,20 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa * enckey: pointer to the encryption public key * msg32: pointer to the 32-byte message hash to sign * noncefp: pointer to a nonce generation function. If NULL, - * rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor is used + * rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor is used * ndata: pointer to arbitrary data used by the nonce generation * function (can be NULL). If it is non-NULL and - * rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor is used, then + * rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor is used, then * ndata must be a pointer to 32-byte auxiliary randomness * as per BIP-340. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *adaptor_sig162, unsigned char *seckey32, - const rustsecp256k1zkp_v0_5_0_pubkey *enckey, + const rustsecp256k1zkp_v0_6_0_pubkey *enckey, const unsigned char *msg32, - rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor noncefp, + rustsecp256k1zkp_v0_6_0_nonce_function_hardened_ecdsa_adaptor noncefp, void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); @@ -106,12 +106,12 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt( * msg32: pointer to the 32-byte message hash being verified * enckey: pointer to the adaptor encryption public key */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *adaptor_sig162, - const rustsecp256k1zkp_v0_5_0_pubkey *pubkey, + const rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *msg32, - const rustsecp256k1zkp_v0_5_0_pubkey *enckey + const rustsecp256k1zkp_v0_6_0_pubkey *enckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); /** Signature Decryption @@ -125,9 +125,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify( * encryption public key * adaptor_sig162: pointer to 162-byte adaptor sig */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *deckey32, const unsigned char *adaptor_sig162 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -147,12 +147,12 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt( * decryption key from * enckey: pointer to the adaptor encryption public key */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *deckey32, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, + const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *adaptor_sig162, - const rustsecp256k1zkp_v0_5_0_pubkey *enckey + const rustsecp256k1zkp_v0_6_0_pubkey *enckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); #ifdef __cplusplus diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_s2c.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_s2c.h index a5b39d6a..330938f3 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_s2c.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_ecdsa_s2c.h @@ -23,11 +23,11 @@ extern "C" { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage, transmission, or - * comparison, use rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize and rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse. + * comparison, use rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize and rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening; +} rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening; /** Parse a sign-to-contract opening. * @@ -39,9 +39,9 @@ typedef struct { * In: input33: pointer to 33-byte array with a serialized opening * */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, const unsigned char* input33 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -51,29 +51,29 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_s2c * 0 if the opening could not be serialized * Args: ctx: a secp256k1 context object * Out: output33: pointer to a 33-byte array to place the serialized opening in - * In: opening: a pointer to an initialized `rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening` + * In: opening: a pointer to an initialized `rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening` */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char* output33, - const rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening + const rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Same as rustsecp256k1zkp_v0_5_0_ecdsa_sign, but s2c_data32 is committed to inside the nonce +/** Same as rustsecp256k1zkp_v0_6_0_ecdsa_sign, but s2c_data32 is committed to inside the nonce * * Returns: 1: signature created * 0: the nonce generation function failed, or the private key was invalid. * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) - * s2c_opening: if non-NULL, pointer to an rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening structure to populate + * s2c_opening: if non-NULL, pointer to an rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening structure to populate * In: msg32: the 32-byte message hash being signed (cannot be NULL) * seckey: pointer to a 32-byte secret key (cannot be NULL) * s2c_data32: pointer to a 32-byte data to commit to in the nonce (cannot be NULL) */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* s2c_opening, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* s2c_opening, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* s2c_data32 @@ -89,11 +89,11 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign( * data32: the 32-byte data that was committed to (cannot be NULL) * opening: pointer to the opening created during signing (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *data32, - const rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening *opening + const rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening *opening ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -113,9 +113,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_s2c * keys, or the signing device to bias the nonce despite the host's contributions, * the host and client must engage in a commit-reveal protocol as follows: * 1. The host draws randomness `rho` and computes a sha256 commitment to it using - * `rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit`. It sends this to the signing device. + * `rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit`. It sends this to the signing device. * 2. The signing device computes a public nonce `R` using the host's commitment - * as auxiliary randomness, using `rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit`. + * as auxiliary randomness, using `rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit`. * The signing device sends the resulting `R` to the host as a s2c_opening. * * If, at any point from this step onward, the hardware device fails, it is @@ -135,10 +135,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_s2c * EVER, they should change hardware vendors and perhaps sweep their coins. * * 3. The host replies with `rho` generated in step 1. - * 4. The device signs with `rustsecp256k1zkp_v0_5_0_anti_exfil_sign`, using `rho` as `host_data32`, + * 4. The device signs with `rustsecp256k1zkp_v0_6_0_anti_exfil_sign`, using `rho` as `host_data32`, * and sends the signature to the host. * 5. The host verifies that the signature's public nonce matches the opening from - * step 2 and its original randomness `rho`, using `rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify`. + * step 2 and its original randomness `rho`, using `rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify`. * * Rationale: * - The reason for having a host commitment is to allow the signing device to @@ -164,8 +164,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_s2c * be revealed to the client until after the host has received the client * commitment. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -180,15 +180,15 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit( * seckey32: the 32-byte secret key used for signing (cannot be NULL) * rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL) */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* s2c_opening, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* s2c_opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); -/** Same as rustsecp256k1zkp_v0_5_0_ecdsa_sign, but commits to host randomness in the nonce. Part of the +/** Same as rustsecp256k1zkp_v0_6_0_ecdsa_sign, but commits to host randomness in the nonce. Part of the * ECDSA Anti-Exfil Protocol. * * Returns: 1: signature created @@ -199,9 +199,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit( * seckey: pointer to a 32-byte secret key (cannot be NULL) * host_data32: pointer to 32-byte host-provided randomness (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_anti_exfil_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_anti_exfil_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32 @@ -218,13 +218,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_anti_exfi * host_data32: the 32-byte data provided by the host (cannot be NULL) * opening: the s2c opening provided by the signer (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msg32, - const rustsecp256k1zkp_v0_5_0_pubkey *pubkey, + const rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *host_data32, - const rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening *opening + const rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening *opening ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6); #ifdef __cplusplus diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_extrakeys.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_extrakeys.h index 89333e7b..3b12a1bb 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_extrakeys.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_extrakeys.h @@ -15,13 +15,13 @@ extern "C" { * The exact representation of data inside is implementation defined and not * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. - * If you need to convert to a format suitable for storage, transmission, or - * comparison, use rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize and - * rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse. + * If you need to convert to a format suitable for storage, transmission, use + * use rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize and rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse. To + * compare keys, use rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_xonly_pubkey; +} rustsecp256k1zkp_v0_6_0_xonly_pubkey; /** Opaque data structure that holds a keypair consisting of a secret and a * public key. @@ -32,7 +32,7 @@ typedef struct { */ typedef struct { unsigned char data[96]; -} rustsecp256k1zkp_v0_5_0_keypair; +} rustsecp256k1zkp_v0_6_0_keypair; /** Parse a 32-byte sequence into a xonly_pubkey object. * @@ -45,9 +45,9 @@ typedef struct { * (cannot be NULL). * In: input32: pointer to a serialized xonly_pubkey (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_xonly_pubkey* pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_xonly_pubkey* pubkey, const unsigned char *input32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -58,16 +58,31 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pub * Args: ctx: a secp256k1 context object (cannot be NULL). * Out: output32: a pointer to a 32-byte array to place the serialized key in * (cannot be NULL). - * In: pubkey: a pointer to a rustsecp256k1zkp_v0_5_0_xonly_pubkey containing an + * In: pubkey: a pointer to a rustsecp256k1zkp_v0_6_0_xonly_pubkey containing an * initialized public key (cannot be NULL). */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output32, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey* pubkey + const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Converts a rustsecp256k1zkp_v0_5_0_pubkey into a rustsecp256k1zkp_v0_5_0_xonly_pubkey. +/** Compare two x-only public keys using lexicographic order + * + * Returns: <0 if the first public key is less than the second + * >0 if the first public key is greater than the second + * 0 if the two public keys are equal + * Args: ctx: a secp256k1 context object. + * In: pubkey1: first public key to compare + * pubkey2: second public key to compare + */ +SECP256K1_API int rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pk1, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pk2 +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Converts a rustsecp256k1zkp_v0_6_0_pubkey into a rustsecp256k1zkp_v0_6_0_xonly_pubkey. * * Returns: 1 if the public key was successfully converted * 0 otherwise @@ -80,11 +95,11 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize( * set to 0 otherwise. (can be NULL) * In: pubkey: pointer to a public key that is converted (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_xonly_pubkey *xonly_pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_xonly_pubkey *xonly_pubkey, int *pk_parity, - const rustsecp256k1zkp_v0_5_0_pubkey *pubkey + const rustsecp256k1zkp_v0_6_0_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4); /** Tweak an x-only public key by adding the generator multiplied with tweak32 @@ -92,7 +107,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pub * * Note that the resulting point can not in general be represented by an x-only * pubkey because it may have an odd Y coordinate. Instead, the output_pubkey - * is a normal rustsecp256k1zkp_v0_5_0_pubkey. + * is a normal rustsecp256k1zkp_v0_6_0_pubkey. * * Returns: 0 if the arguments are invalid or the resulting public key would be * invalid (only when the tweak is the negation of the corresponding @@ -106,24 +121,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pub * In: internal_pubkey: pointer to an x-only pubkey to apply the tweak to. * (cannot be NULL). * tweak32: pointer to a 32-byte tweak. If the tweak is invalid - * according to rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function + * according to rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function * returns 0. For uniformly random 32-byte arrays the * chance of being invalid is negligible (around 1 in * 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *output_pubkey, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *internal_pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *output_pubkey, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Checks that a tweaked pubkey is the result of calling - * rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add with internal_pubkey and tweak32. + * rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add with internal_pubkey and tweak32. * * The tweaked pubkey is represented by its 32-byte x-only serialization and * its pk_parity, which can both be obtained by converting the result of - * tweak_add to a rustsecp256k1zkp_v0_5_0_xonly_pubkey. + * tweak_add to a rustsecp256k1zkp_v0_6_0_xonly_pubkey. * * Note that this alone does _not_ verify that the tweaked pubkey is a * commitment. If the tweak is not chosen in a specific way, the tweaked pubkey @@ -137,17 +152,17 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pub * tweaked_pk_parity: the parity of the tweaked pubkey (whose serialization * is passed in as tweaked_pubkey32). This must match the * pk_parity value that is returned when calling - * rustsecp256k1zkp_v0_5_0_xonly_pubkey with the tweaked pubkey, or + * rustsecp256k1zkp_v0_6_0_xonly_pubkey with the tweaked pubkey, or * this function will fail. * internal_pubkey: pointer to an x-only public key object to apply the * tweak to (cannot be NULL) * tweak32: pointer to a 32-byte tweak (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check( + const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *internal_pubkey, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); @@ -159,9 +174,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_xonly_pub * Out: keypair: pointer to the created keypair (cannot be NULL) * In: seckey: pointer to a 32-byte secret key (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_create( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_keypair *keypair, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_keypair_create( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_keypair *keypair, const unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -172,10 +187,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_c * Out: seckey: pointer to a 32-byte buffer for the secret key (cannot be NULL) * In: keypair: pointer to a keypair (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_sec( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_keypair_sec( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, - const rustsecp256k1zkp_v0_5_0_keypair *keypair + const rustsecp256k1zkp_v0_6_0_keypair *keypair ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Get the public key from a keypair. @@ -187,16 +202,16 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_s * (cannot be NULL) * In: keypair: pointer to a keypair (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_pub( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, - const rustsecp256k1zkp_v0_5_0_keypair *keypair +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_keypair_pub( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, + const rustsecp256k1zkp_v0_6_0_keypair *keypair ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Get the x-only public key from a keypair. * - * This is the same as calling rustsecp256k1zkp_v0_5_0_keypair_pub and then - * rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey. + * This is the same as calling rustsecp256k1zkp_v0_6_0_keypair_pub and then + * rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey. * * Returns: 0 if the arguments are invalid. 1 otherwise. * Args: ctx: pointer to a context object (cannot be NULL) @@ -205,22 +220,22 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_p * xonly_pubkey. If not, it's set to an invalid value (cannot be * NULL). * pk_parity: pointer to an integer that will be set to the pk_parity - * argument of rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey (can be NULL). + * argument of rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey (can be NULL). * In: keypair: pointer to a keypair (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_xonly_pub( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_keypair_xonly_pub( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey, int *pk_parity, - const rustsecp256k1zkp_v0_5_0_keypair *keypair + const rustsecp256k1zkp_v0_6_0_keypair *keypair ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4); /** Tweak a keypair by adding tweak32 to the secret key and updating the public * key accordingly. * - * Calling this function and then rustsecp256k1zkp_v0_5_0_keypair_pub results in the same - * public key as calling rustsecp256k1zkp_v0_5_0_keypair_xonly_pub and then - * rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add. + * Calling this function and then rustsecp256k1zkp_v0_6_0_keypair_pub results in the same + * public key as calling rustsecp256k1zkp_v0_6_0_keypair_xonly_pub and then + * rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add. * * Returns: 0 if the arguments are invalid or the resulting keypair would be * invalid (only when the tweak is the negation of the keypair's @@ -232,13 +247,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_x * an invalid value if this function returns 0 (cannot be * NULL). * In: tweak32: pointer to a 32-byte tweak. If the tweak is invalid according - * to rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function returns 0. For + * to rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function returns 0. For * uniformly random 32-byte arrays the chance of being invalid * is negligible (around 1 in 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_keypair *keypair, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_keypair *keypair, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_generator.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_generator.h index abcb588c..2e0ae992 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_generator.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_generator.h @@ -15,11 +15,11 @@ extern "C" { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage, transmission, or - * comparison, use rustsecp256k1zkp_v0_5_0_generator_serialize and rustsecp256k1zkp_v0_5_0_generator_parse. + * comparison, use rustsecp256k1zkp_v0_6_0_generator_serialize and rustsecp256k1zkp_v0_6_0_generator_parse. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_generator; +} rustsecp256k1zkp_v0_6_0_generator; /** Parse a 33-byte generator byte sequence into a generator object. * @@ -28,9 +28,9 @@ typedef struct { * Out: gen: pointer to the output generator object * In: input: pointer to a 33-byte serialized generator */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_generator_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_generator* gen, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_generator_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_generator* gen, const unsigned char *input ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -41,10 +41,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_generator * Out: output: a pointer to a 33-byte byte array * In: gen: a pointer to a generator */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_generator_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_generator_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, - const rustsecp256k1zkp_v0_5_0_generator* gen + const rustsecp256k1zkp_v0_6_0_generator* gen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Generate a generator for the curve. @@ -60,9 +60,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_generator_serialize( * known discrete logarithm with respect to any other generator produced, * or to the base generator G. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_generator_generate( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_generator* gen, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_generator_generate( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_generator* gen, const unsigned char *seed32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -75,13 +75,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_generator * In: seed32: a 32-byte seed * blind32: a 32-byte secret value to blind the generator with. * - * The result is equivalent to first calling rustsecp256k1zkp_v0_5_0_generator_generate, - * converting the result to a public key, calling rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add, + * The result is equivalent to first calling rustsecp256k1zkp_v0_6_0_generator_generate, + * converting the result to a public key, calling rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add, * and then converting back to generator form. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_generator_generate_blinded( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_generator* gen, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_generator_generate_blinded( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_generator* gen, const unsigned char *seed32, const unsigned char *blind32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_musig.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_musig.h index f5fd6966..2c5c6c2d 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_musig.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_musig.h @@ -39,7 +39,7 @@ typedef struct { int is_tweaked; unsigned char tweak[32]; int internal_key_parity; -} rustsecp256k1zkp_v0_5_0_musig_pre_session; +} rustsecp256k1zkp_v0_6_0_musig_pre_session; /** Data structure containing data related to a signing session resulting in a single * signature. @@ -74,20 +74,20 @@ typedef struct { typedef struct { uint64_t magic; int round; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk; uint32_t n_signers; int is_msg_set; unsigned char msg[32]; int has_secret_data; unsigned char seckey[32]; unsigned char secnonce[32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey nonce; + rustsecp256k1zkp_v0_6_0_xonly_pubkey nonce; int partial_nonce_parity; unsigned char nonce_commitments_hash[32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_nonce; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_nonce; int combined_nonce_parity; -} rustsecp256k1zkp_v0_5_0_musig_session; +} rustsecp256k1zkp_v0_6_0_musig_session; /** Data structure containing data on all signers in a single session. * @@ -119,9 +119,9 @@ typedef struct { typedef struct { int present; uint32_t index; - rustsecp256k1zkp_v0_5_0_xonly_pubkey nonce; + rustsecp256k1zkp_v0_6_0_xonly_pubkey nonce; unsigned char nonce_commitment[32]; -} rustsecp256k1zkp_v0_5_0_musig_session_signer_data; +} rustsecp256k1zkp_v0_6_0_musig_session_signer_data; /** Opaque data structure that holds a MuSig partial signature. * @@ -134,7 +134,7 @@ typedef struct { */ typedef struct { unsigned char data[32]; -} rustsecp256k1zkp_v0_5_0_musig_partial_signature; +} rustsecp256k1zkp_v0_6_0_musig_partial_signature; /** Computes a combined public key and the hash of the given public keys. * Different orders of `pubkeys` result in different `combined_pk`s. @@ -152,22 +152,22 @@ typedef struct { * key (cannot be NULL) * n_pubkeys: length of pubkeys array. Must be greater than 0. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_pubkey_combine( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_scratch_space *scratch, - rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, - rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkeys, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_pubkey_combine( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_scratch_space *scratch, + rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, + rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkeys, size_t n_pubkeys ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5); /** Tweak an x-only public key by adding the generator multiplied with tweak32 * to it. The resulting output_pubkey with the given internal_pubkey and tweak - * passes `rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_test`. + * passes `rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_test`. * * This function is only useful before initializing a signing session. If you * are only computing a public key, but not intending to create a signature for - * it, you can just use `rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add`. Can only be called + * it, you can just use `rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add`. Can only be called * once with a given pre_session. * * Returns: 0 if the arguments are invalid or the resulting public key would be @@ -184,16 +184,16 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_pubkey_combine( * `musig_pubkey_combine` to which the tweak is applied. * (cannot be NULL). * tweak32: pointer to a 32-byte tweak. If the tweak is invalid - * according to rustsecp256k1zkp_v0_5_0_ec_seckey_verify, this function + * according to rustsecp256k1zkp_v0_6_0_ec_seckey_verify, this function * returns 0. For uniformly random 32-byte arrays the * chance of being invalid is negligible (around 1 in * 2^128) (cannot be NULL). */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, - rustsecp256k1zkp_v0_5_0_pubkey *output_pubkey, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *internal_pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, + rustsecp256k1zkp_v0_6_0_pubkey *output_pubkey, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); @@ -225,15 +225,15 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_pub * than `n_signers`. * seckey: the signer's 32-byte secret key (cannot be NULL) */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_session_init( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_session *session, - rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_session_init( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_session *session, + rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, - const rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, + const rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, size_t n_signers, size_t my_index, const unsigned char *seckey @@ -241,7 +241,7 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_session_init( /** Gets the signer's public nonce given a list of all signers' data with * commitments. Called by participating signers after - * `rustsecp256k1zkp_v0_5_0_musig_session_init` and after all nonce commitments have + * `rustsecp256k1zkp_v0_6_0_musig_session_init` and after all nonce commitments have * been collected * * Returns: 1: public nonce is written in nonce @@ -261,10 +261,10 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_session_init( * msg32: the 32-byte message to be signed. Must be NULL if already * set with `musig_session_init` otherwise can not be NULL. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_session *session, - rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_session *session, + rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, unsigned char *nonce32, const unsigned char *const *commitments, size_t n_commitments, @@ -291,13 +291,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_ses * participating in the MuSig. Must be greater than 0 and at most * 2^32 - 1. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_session_init_verifier( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_session *session, - rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_session_init_verifier( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_session *session, + rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, const unsigned char *msg32, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, - const rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, + const rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, const unsigned char *const *commitments, size_t n_signers ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7); @@ -313,9 +313,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_session_init_verifier( * with `musig_session_init_verifier`. * In: nonce32: signer's alleged public nonce (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_set_nonce( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signer, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_musig_set_nonce( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signer, const unsigned char *nonce32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -338,13 +338,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_set * adaptor: point to add to the combined public nonce. If NULL, nothing is * added to the combined nonce. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_session *session, - const rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_session *session, + const rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, size_t n_signers, int *nonce_parity, - const rustsecp256k1zkp_v0_5_0_pubkey *adaptor + const rustsecp256k1zkp_v0_6_0_pubkey *adaptor ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Serialize a MuSig partial signature or adaptor signature @@ -354,10 +354,10 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces( * Out: out32: pointer to a 32-byte array to store the serialized signature * In: sig: pointer to the signature */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_signature_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_partial_signature_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *out32, - const rustsecp256k1zkp_v0_5_0_musig_partial_signature* sig + const rustsecp256k1zkp_v0_6_0_musig_partial_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Parse and verify a MuSig partial signature. @@ -371,9 +371,9 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_signature_serialize( * encoded numbers are out of range, signature verification with it is * guaranteed to fail for every message and public key. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_partial_signature* sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_partial_signature_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_partial_signature* sig, const unsigned char *in32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -386,10 +386,10 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse( * computed (cannot be NULL) * Out: partial_sig: partial signature (cannot be NULL) */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_musig_session *session, - rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sig +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_partial_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_musig_session *session, + rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Checks that an individual partial signature verifies @@ -409,12 +409,12 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_sign( * In: partial_sig: signature to verify (cannot be NULL) * pubkey: public key of the signer who produced the signature (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_musig_session *session, - const rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signer, - const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sig, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_musig_session *session, + const rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signer, + const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sig, + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5); /** Combines partial signatures @@ -429,11 +429,11 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_par * In: partial_sigs: array of partial signatures to combine (cannot be NULL) * n_sigs: number of signatures in the partial_sigs array */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_musig_session *session, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_musig_session *session, unsigned char *sig64, - const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sigs, + const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sigs, size_t n_sigs ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -449,10 +449,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_par * be NULL) * nonce_parity: the `nonce_parity` output of `musig_session_combine_nonces` */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_musig_partial_signature *adaptor_sig, - const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_musig_partial_signature *adaptor_sig, + const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_parity ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -472,11 +472,11 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt( * n_partial_sigs: number of elements in partial_sigs array * nonce_parity: the `nonce_parity` output of `musig_session_combine_nonces` */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *sec_adaptor32, const unsigned char *sig64, - const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sigs, + const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_parity ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_preallocated.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_preallocated.h index ae7893fd..d5142b14 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_preallocated.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_preallocated.h @@ -16,8 +16,8 @@ extern "C" { * objects created by functions in secp256k1.h, i.e., they can be passed to any * API function that expects a context object (see secp256k1.h for details). The * only exception is that context objects created by functions in this module - * must be destroyed using rustsecp256k1zkp_v0_5_0_context_preallocated_destroy (in this - * module) instead of rustsecp256k1zkp_v0_5_0_context_destroy (in secp256k1.h). + * must be destroyed using rustsecp256k1zkp_v0_6_0_context_preallocated_destroy (in this + * module) instead of rustsecp256k1zkp_v0_6_0_context_destroy (in secp256k1.h). * * It is guaranteed that functions in this module will not call malloc or its * friends realloc, calloc, and free. @@ -27,24 +27,24 @@ extern "C" { * caller-provided memory. * * The purpose of this function is to determine how much memory must be provided - * to rustsecp256k1zkp_v0_5_0_context_preallocated_create. + * to rustsecp256k1zkp_v0_6_0_context_preallocated_create. * * Returns: the required size of the caller-provided memory block * In: flags: which parts of the context to initialize. */ -SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_context_preallocated_size( +SECP256K1_API size_t rustsecp256k1zkp_v0_6_0_context_preallocated_size( unsigned int flags ) SECP256K1_WARN_UNUSED_RESULT; /** Create a secp256k1 context object in caller-provided memory. * * The caller must provide a pointer to a rewritable contiguous block of memory - * of size at least rustsecp256k1zkp_v0_5_0_context_preallocated_size(flags) bytes, suitably + * of size at least rustsecp256k1zkp_v0_6_0_context_preallocated_size(flags) bytes, suitably * aligned to hold an object of any type. * * The block of memory is exclusively owned by the created context object during * the lifetime of this context object, which begins with the call to this - * function and ends when a call to rustsecp256k1zkp_v0_5_0_context_preallocated_destroy + * function and ends when a call to rustsecp256k1zkp_v0_6_0_context_preallocated_destroy * (which destroys the context object again) returns. During the lifetime of the * context object, the caller is obligated not to access this block of memory, * i.e., the caller may not read or write the memory, e.g., by copying the memory @@ -54,14 +54,14 @@ SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_context_preallocated_size( * * Returns: a newly created context object. * In: prealloc: a pointer to a rewritable contiguous block of memory of - * size at least rustsecp256k1zkp_v0_5_0_context_preallocated_size(flags) + * size at least rustsecp256k1zkp_v0_6_0_context_preallocated_size(flags) * bytes, as detailed above (cannot be NULL) * flags: which parts of the context to initialize. * - * See also rustsecp256k1zkp_v0_5_0_context_randomize (in secp256k1.h) - * and rustsecp256k1zkp_v0_5_0_context_preallocated_destroy. + * See also rustsecp256k1zkp_v0_6_0_context_randomize (in secp256k1.h) + * and rustsecp256k1zkp_v0_6_0_context_preallocated_destroy. */ -SECP256K1_API rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_preallocated_create( +SECP256K1_API rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_preallocated_create( void* prealloc, unsigned int flags ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT; @@ -72,28 +72,28 @@ SECP256K1_API rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_p * Returns: the required size of the caller-provided memory block. * In: ctx: an existing context to copy (cannot be NULL) */ -SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size( - const rustsecp256k1zkp_v0_5_0_context* ctx +SECP256K1_API size_t rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size( + const rustsecp256k1zkp_v0_6_0_context* ctx ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT; /** Copy a secp256k1 context object into caller-provided memory. * * The caller must provide a pointer to a rewritable contiguous block of memory - * of size at least rustsecp256k1zkp_v0_5_0_context_preallocated_size(flags) bytes, suitably + * of size at least rustsecp256k1zkp_v0_6_0_context_preallocated_size(flags) bytes, suitably * aligned to hold an object of any type. * * The block of memory is exclusively owned by the created context object during * the lifetime of this context object, see the description of - * rustsecp256k1zkp_v0_5_0_context_preallocated_create for details. + * rustsecp256k1zkp_v0_6_0_context_preallocated_create for details. * * Returns: a newly created context object. * Args: ctx: an existing context to copy (cannot be NULL) * In: prealloc: a pointer to a rewritable contiguous block of memory of - * size at least rustsecp256k1zkp_v0_5_0_context_preallocated_size(flags) + * size at least rustsecp256k1zkp_v0_6_0_context_preallocated_size(flags) * bytes, as detailed above (cannot be NULL) */ -SECP256K1_API rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_preallocated_clone( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_preallocated_clone( + const rustsecp256k1zkp_v0_6_0_context* ctx, void* prealloc ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT; @@ -103,22 +103,22 @@ SECP256K1_API rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_p * The context pointer may not be used afterwards. * * The context to destroy must have been created using - * rustsecp256k1zkp_v0_5_0_context_preallocated_create or rustsecp256k1zkp_v0_5_0_context_preallocated_clone. - * If the context has instead been created using rustsecp256k1zkp_v0_5_0_context_create or - * rustsecp256k1zkp_v0_5_0_context_clone, the behaviour is undefined. In that case, - * rustsecp256k1zkp_v0_5_0_context_destroy must be used instead. + * rustsecp256k1zkp_v0_6_0_context_preallocated_create or rustsecp256k1zkp_v0_6_0_context_preallocated_clone. + * If the context has instead been created using rustsecp256k1zkp_v0_6_0_context_create or + * rustsecp256k1zkp_v0_6_0_context_clone, the behaviour is undefined. In that case, + * rustsecp256k1zkp_v0_6_0_context_destroy must be used instead. * * If required, it is the responsibility of the caller to deallocate the block * of memory properly after this function returns, e.g., by calling free on the - * preallocated pointer given to rustsecp256k1zkp_v0_5_0_context_preallocated_create or - * rustsecp256k1zkp_v0_5_0_context_preallocated_clone. + * preallocated pointer given to rustsecp256k1zkp_v0_6_0_context_preallocated_create or + * rustsecp256k1zkp_v0_6_0_context_preallocated_clone. * * Args: ctx: an existing context to destroy, constructed using - * rustsecp256k1zkp_v0_5_0_context_preallocated_create or - * rustsecp256k1zkp_v0_5_0_context_preallocated_clone (cannot be NULL) + * rustsecp256k1zkp_v0_6_0_context_preallocated_create or + * rustsecp256k1zkp_v0_6_0_context_preallocated_clone (cannot be NULL) */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_context_preallocated_destroy( - rustsecp256k1zkp_v0_5_0_context* ctx +SECP256K1_API void rustsecp256k1zkp_v0_6_0_context_preallocated_destroy( + rustsecp256k1zkp_v0_6_0_context* ctx ); #ifdef __cplusplus diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_rangeproof.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_rangeproof.h index 7ad7f70e..7baae431 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_rangeproof.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_rangeproof.h @@ -16,17 +16,17 @@ extern "C" { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage, transmission, or - * comparison, use rustsecp256k1zkp_v0_5_0_pedersen_commitment_serialize and - * rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse. + * comparison, use rustsecp256k1zkp_v0_6_0_pedersen_commitment_serialize and + * rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse. */ typedef struct { unsigned char data[64]; -} rustsecp256k1zkp_v0_5_0_pedersen_commitment; +} rustsecp256k1zkp_v0_6_0_pedersen_commitment; /** * Static constant generator 'h' maintained for historical reasons. */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_generator *rustsecp256k1zkp_v0_5_0_generator_h; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_generator *rustsecp256k1zkp_v0_6_0_generator_h; /** Parse a 33-byte commitment into a commitment object. * @@ -35,9 +35,9 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_generator *rustsecp256k1zkp_v * Out: commit: pointer to the output commitment object * In: input: pointer to a 33-byte serialized commitment key */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pedersen_commitment* commit, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pedersen_commitment* commit, const unsigned char *input ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -46,13 +46,13 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_ * Returns: 1 always. * Args: ctx: a secp256k1 context object. * Out: output: a pointer to a 33-byte byte array - * In: commit: a pointer to a rustsecp256k1zkp_v0_5_0_pedersen_commitment containing an + * In: commit: a pointer to a rustsecp256k1zkp_v0_6_0_pedersen_commitment containing an * initialized commitment */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_pedersen_commitment_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_pedersen_commitment_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment* commit + const rustsecp256k1zkp_v0_6_0_pedersen_commitment* commit ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Generate a pedersen commitment. @@ -68,12 +68,12 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_pedersen_commitment_serialize( * * Blinding factors can be generated and verified in the same way as secp256k1 private keys for ECDSA. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_commit( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_pedersen_commit( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *blind, uint64_t value, - const rustsecp256k1zkp_v0_5_0_generator *gen + const rustsecp256k1zkp_v0_6_0_generator *gen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5); /** Computes the sum of multiple positive and negative blinding factors. @@ -87,8 +87,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_ * npositive: how many of the initial factors should be treated with a positive sign. * Out: blind_out: pointer to a 32-byte array for the sum (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_blind_sum( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_pedersen_blind_sum( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *blind_out, const unsigned char * const *blinds, size_t n, @@ -111,11 +111,11 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_ * A all blinding factors and all values must sum to zero. * */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_verify_tally( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment * const* commits, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_pedersen_verify_tally( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_pedersen_commitment * const* commits, size_t pcnt, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment * const* ncommits, + const rustsecp256k1zkp_v0_6_0_pedersen_commitment * const* ncommits, size_t ncnt ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4); @@ -149,8 +149,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_ * May not be NULL unless `n_total` is 0. * the last value will be modified to get the total sum to zero. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum( + const rustsecp256k1zkp_v0_6_0_context* ctx, const uint64_t *value, const unsigned char* const* generator_blind, unsigned char* const* blinding_factor, @@ -171,16 +171,16 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_pedersen_ * Out: min_value: pointer to a unsigned int64 which will be updated with the minimum value that commit could have. (cannot be NULL) * max_value: pointer to a unsigned int64 which will be updated with the maximum value that commit could have. (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproof_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_rangeproof_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, uint64_t *min_value, uint64_t *max_value, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, - const rustsecp256k1zkp_v0_5_0_generator* gen + const rustsecp256k1zkp_v0_6_0_generator* gen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(9); /** Verify a range proof proof and rewind the proof to recover information sent by its author. @@ -203,8 +203,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproo * min_value: pointer to an unsigned int64 which will be updated with the minimum value that commit could have. (cannot be NULL) * max_value: pointer to an unsigned int64 which will be updated with the maximum value that commit could have. (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproof_rewind( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_rangeproof_rewind( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *blind_out, uint64_t *value_out, unsigned char *message_out, @@ -212,12 +212,12 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproo const unsigned char *nonce, uint64_t *min_value, uint64_t *max_value, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, - const rustsecp256k1zkp_v0_5_0_generator *gen + const rustsecp256k1zkp_v0_6_0_generator *gen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(9) SECP256K1_ARG_NONNULL(10) SECP256K1_ARG_NONNULL(14); /** Author a proof that a committed value is within a range. @@ -247,12 +247,12 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproo * This can randomly fail with probability around one in 2^100. If this happens, buy a lottery ticket and retry with a different nonce or blinding. * */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproof_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_rangeproof_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *proof, size_t *plen, uint64_t min_value, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *blind, const unsigned char *nonce, int exp, @@ -262,7 +262,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproo size_t msg_len, const unsigned char *extra_commit, size_t extra_commit_len, - const rustsecp256k1zkp_v0_5_0_generator *gen + const rustsecp256k1zkp_v0_6_0_generator *gen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(15); /** Extract some basic information from a range-proof. @@ -276,8 +276,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproo * min_value: pointer to an unsigned int64 which will be updated with the minimum value that commit could have. (cannot be NULL) * max_value: pointer to an unsigned int64 which will be updated with the maximum value that commit could have. (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_rangeproof_info( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_rangeproof_info( + const rustsecp256k1zkp_v0_6_0_context* ctx, int *exp, int *mantissa, uint64_t *min_value, diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_recovery.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_recovery.h index 2b57b1d4..9f28613e 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_recovery.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_recovery.h @@ -14,8 +14,8 @@ extern "C" { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 65 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage or transmission, use - * the rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_* and - * rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_* functions. + * the rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_* and + * rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_* functions. * * Furthermore, it is guaranteed that identical signatures (including their * recoverability) will have identical representation, so they can be @@ -23,7 +23,7 @@ extern "C" { */ typedef struct { unsigned char data[65]; -} rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature; +} rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature; /** Parse a compact ECDSA signature (64 bytes + recovery id). * @@ -33,9 +33,9 @@ typedef struct { * In: input64: a pointer to a 64-byte compact signature * recid: the recovery id (0, 1, 2 or 3) */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -46,10 +46,10 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_comp * Out: sig: a pointer to a normal signature (cannot be NULL). * In: sigin: a pointer to a recoverable signature (cannot be NULL). */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, - const rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sigin +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, + const rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sigin ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Serialize an ECDSA signature in compact format (64 bytes + recovery id). @@ -60,11 +60,11 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert( * recid: a pointer to an integer to hold the recovery id (can be NULL). * In: sig: a pointer to an initialized signature object (cannot be NULL) */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output64, int *recid, - const rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sig + const rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Create a recoverable ECDSA signature. @@ -75,15 +75,15 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_ * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) * In: msghash32: the 32-byte message hash being signed (cannot be NULL) * seckey: pointer to a 32-byte secret key (cannot be NULL) - * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_5_0_nonce_function_default is used + * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_6_0_nonce_function_default is used * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature *sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, - rustsecp256k1zkp_v0_5_0_nonce_function noncefp, + rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -96,10 +96,10 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable( * In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL) * msghash32: the 32-byte message hash assumed to be signed (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_ecdsa_recover( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_pubkey *pubkey, - const rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature *sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_ecdsa_recover( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_pubkey *pubkey, + const rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature *sig, const unsigned char *msghash32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_schnorrsig.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_schnorrsig.h index 91b5012e..0484962d 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_schnorrsig.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_schnorrsig.h @@ -15,7 +15,7 @@ extern "C" { /** A pointer to a function to deterministically generate a nonce. * - * Same as rustsecp256k1zkp_v0_5_0_nonce function with the exception of accepting an + * Same as rustsecp256k1zkp_v0_6_0_nonce function with the exception of accepting an * additional pubkey argument and not requiring an attempt argument. The pubkey * argument can protect signature schemes with key-prefixed challenge hash * inputs against reusing the nonce when signing with the wrong precomputed @@ -35,7 +35,7 @@ extern "C" { * Except for test cases, this function should compute some cryptographic hash of * the message, the key, the pubkey, the algorithm description, and data. */ -typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function_hardened)( +typedef int (*rustsecp256k1zkp_v0_6_0_nonce_function_hardened)( unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, @@ -56,16 +56,16 @@ typedef int (*rustsecp256k1zkp_v0_5_0_nonce_function_hardened)( * bytes. Therefore, to create BIP-340 compliant signatures, algo16 must be set * to "BIP0340/nonce\0\0\0" */ -SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function_hardened rustsecp256k1zkp_v0_5_0_nonce_function_bip340; +SECP256K1_API extern const rustsecp256k1zkp_v0_6_0_nonce_function_hardened rustsecp256k1zkp_v0_6_0_nonce_function_bip340; /** Create a Schnorr signature. * * Does _not_ strictly follow BIP-340 because it does not verify the resulting - * signature. Instead, you can manually use rustsecp256k1zkp_v0_5_0_schnorrsig_verify and + * signature. Instead, you can manually use rustsecp256k1zkp_v0_6_0_schnorrsig_verify and * abort if it fails. * * Otherwise BIP-340 compliant if the noncefp argument is NULL or - * rustsecp256k1zkp_v0_5_0_nonce_function_bip340 and the ndata argument is 32-byte auxiliary + * rustsecp256k1zkp_v0_6_0_nonce_function_bip340 and the ndata argument is 32-byte auxiliary * randomness. * * Returns 1 on success, 0 on failure. @@ -73,18 +73,18 @@ SECP256K1_API extern const rustsecp256k1zkp_v0_5_0_nonce_function_hardened rusts * Out: sig64: pointer to a 64-byte array to store the serialized signature (cannot be NULL) * In: msg32: the 32-byte message being signed (cannot be NULL) * keypair: pointer to an initialized keypair (cannot be NULL) - * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_5_0_nonce_function_bip340 is used + * noncefp: pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_6_0_nonce_function_bip340 is used * ndata: pointer to arbitrary data used by the nonce generation * function (can be NULL). If it is non-NULL and - * rustsecp256k1zkp_v0_5_0_nonce_function_bip340 is used, then ndata must be a + * rustsecp256k1zkp_v0_6_0_nonce_function_bip340 is used, then ndata must be a * pointer to 32-byte auxiliary randomness as per BIP-340. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_schnorrsig_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_schnorrsig_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *sig64, const unsigned char *msg32, - const rustsecp256k1zkp_v0_5_0_keypair *keypair, - rustsecp256k1zkp_v0_5_0_nonce_function_hardened noncefp, + const rustsecp256k1zkp_v0_6_0_keypair *keypair, + rustsecp256k1zkp_v0_6_0_nonce_function_hardened noncefp, void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -97,11 +97,11 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_schnorrsig_sign( * msg32: the 32-byte message being verified (cannot be NULL) * pubkey: pointer to an x-only public key to verify with (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_schnorrsig_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_schnorrsig_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *sig64, const unsigned char *msg32, - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); #ifdef __cplusplus diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_surjectionproof.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_surjectionproof.h index 87b2fdfe..eb934aaa 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_surjectionproof.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_surjectionproof.h @@ -32,8 +32,8 @@ extern "C" { * will have identical representation. (That is, memcmp may return nonzero * even for identical proofs.) * - * To obtain these properties, instead use rustsecp256k1zkp_v0_5_0_surjectionproof_parse - * and rustsecp256k1zkp_v0_5_0_surjectionproof_serialize to encode/decode proofs into a + * To obtain these properties, instead use rustsecp256k1zkp_v0_6_0_surjectionproof_parse + * and rustsecp256k1zkp_v0_6_0_surjectionproof_serialize to encode/decode proofs into a * well-defined format. * * The representation is exposed to allow creation of these objects on the @@ -41,7 +41,7 @@ extern "C" { */ typedef struct { #ifdef VERIFY - /** Mark whether this proof has gone through `rustsecp256k1zkp_v0_5_0_surjectionproof_initialize` */ + /** Mark whether this proof has gone through `rustsecp256k1zkp_v0_6_0_surjectionproof_initialize` */ int initialized; #endif /** Total number of input asset tags */ @@ -50,7 +50,7 @@ typedef struct { unsigned char used_inputs[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS / 8]; /** Borromean signature: e0, scalars */ unsigned char data[32 * (1 + SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS)]; -} rustsecp256k1zkp_v0_5_0_surjectionproof; +} rustsecp256k1zkp_v0_6_0_surjectionproof; #ifndef USE_REDUCED_SURJECTION_PROOF_SIZE /** Parse a surjection proof @@ -68,9 +68,9 @@ typedef struct { * - `m` big-endian 32-byte borromean signature s values, where `m` * is the number of set bits in the bitmap */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_surjectionproof_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_surjectionproof *proof, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_surjectionproof_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_surjectionproof *proof, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -86,13 +86,13 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_surjectionproof_parse( * size. * In: proof: a pointer to an initialized proof object * - * See rustsecp256k1zkp_v0_5_0_surjectionproof_parse for details about the encoding. + * See rustsecp256k1zkp_v0_6_0_surjectionproof_parse for details about the encoding. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_surjectionproof_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_surjectionproof_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, - const rustsecp256k1zkp_v0_5_0_surjectionproof *proof + const rustsecp256k1zkp_v0_6_0_surjectionproof *proof ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Data structure that holds a fixed asset tag. @@ -103,7 +103,7 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_surjectionproof_serialize( */ typedef struct { unsigned char data[32]; -} rustsecp256k1zkp_v0_5_0_fixed_asset_tag; +} rustsecp256k1zkp_v0_6_0_fixed_asset_tag; /** Returns the total number of inputs a proof expects to be over. * @@ -111,9 +111,9 @@ typedef struct { * In: ctx: pointer to a context object * proof: a pointer to a proof object */ -SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_surjectionproof* proof +SECP256K1_API size_t rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_surjectionproof* proof ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); /** Returns the actual number of inputs that a proof uses @@ -122,9 +122,9 @@ SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs( * In: ctx: pointer to a context object * proof: a pointer to a proof object */ -SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_surjectionproof* proof +SECP256K1_API size_t rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_surjectionproof* proof ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); /** Returns the total size this proof would take, in bytes, when serialized @@ -133,13 +133,13 @@ SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs( * In: ctx: pointer to a context object * proof: a pointer to a proof object */ -SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_surjectionproof* proof +SECP256K1_API size_t rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_surjectionproof* proof ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); /** Surjection proof initialization function; decides on inputs to use - * To be used to initialize stack-allocated rustsecp256k1zkp_v0_5_0_surjectionproof struct + * To be used to initialize stack-allocated rustsecp256k1zkp_v0_6_0_surjectionproof struct * Returns 0: inputs could not be selected * n: inputs were selected after n iterations of random selection * @@ -161,14 +161,14 @@ SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size( * the state of the proof is undefined. * input_index: The index of the actual input that is secretly mapped to the output */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_surjectionproof_initialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_surjectionproof* proof, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_surjectionproof_initialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_surjectionproof* proof, size_t *input_index, - const rustsecp256k1zkp_v0_5_0_fixed_asset_tag* fixed_input_tags, + const rustsecp256k1zkp_v0_6_0_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, - const rustsecp256k1zkp_v0_5_0_fixed_asset_tag* fixed_output_tag, + const rustsecp256k1zkp_v0_6_0_fixed_asset_tag* fixed_output_tag, const size_t n_max_iterations, const unsigned char *random_seed32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7); @@ -179,7 +179,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_surjectio * n: inputs were selected after n iterations of random selection * * In: ctx: pointer to a context object - * proof_out_p: a pointer to a pointer to `rustsecp256k1zkp_v0_5_0_surjectionproof*`. + * proof_out_p: a pointer to a pointer to `rustsecp256k1zkp_v0_6_0_surjectionproof*`. * the newly-allocated struct pointer will be saved here. * fixed_input_tags: fixed input tags `A_i` for all inputs. (If the fixed tag is not known, * e.g. in a coinjoin with others' inputs, an ephemeral tag can be given; @@ -197,25 +197,25 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_surjectio * In case of failure, the pointer will be NULL. * input_index: The index of the actual input that is secretly mapped to the output */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_surjectionproof** proof_out_p, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_surjectionproof** proof_out_p, size_t *input_index, - const rustsecp256k1zkp_v0_5_0_fixed_asset_tag* fixed_input_tags, + const rustsecp256k1zkp_v0_6_0_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, - const rustsecp256k1zkp_v0_5_0_fixed_asset_tag* fixed_output_tag, + const rustsecp256k1zkp_v0_6_0_fixed_asset_tag* fixed_output_tag, const size_t n_max_iterations, const unsigned char *random_seed32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(7); /** Surjection proof destroy function - * deallocates the struct that was allocated with rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized + * deallocates the struct that was allocated with rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized * - * In: proof: pointer to rustsecp256k1zkp_v0_5_0_surjectionproof struct + * In: proof: pointer to rustsecp256k1zkp_v0_6_0_surjectionproof struct */ -SECP256K1_API void rustsecp256k1zkp_v0_5_0_surjectionproof_destroy( - rustsecp256k1zkp_v0_5_0_surjectionproof* proof +SECP256K1_API void rustsecp256k1zkp_v0_6_0_surjectionproof_destroy( + rustsecp256k1zkp_v0_6_0_surjectionproof* proof ) SECP256K1_ARG_NONNULL(1); /** Surjection proof generation function @@ -229,14 +229,14 @@ SECP256K1_API void rustsecp256k1zkp_v0_5_0_surjectionproof_destroy( * input_index: the index of the input that actually maps to the output * input_blinding_key: the blinding key of the input * output_blinding_key: the blinding key of the output - * In/Out: proof: The produced surjection proof. Must have already gone through `rustsecp256k1zkp_v0_5_0_surjectionproof_initialize` + * In/Out: proof: The produced surjection proof. Must have already gone through `rustsecp256k1zkp_v0_6_0_surjectionproof_initialize` */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_surjectionproof_generate( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_surjectionproof* proof, - const rustsecp256k1zkp_v0_5_0_generator* ephemeral_input_tags, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_6_0_surjectionproof_generate( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_surjectionproof* proof, + const rustsecp256k1zkp_v0_6_0_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, - const rustsecp256k1zkp_v0_5_0_generator* ephemeral_output_tag, + const rustsecp256k1zkp_v0_6_0_generator* ephemeral_output_tag, size_t input_index, const unsigned char *input_blinding_key, const unsigned char *output_blinding_key @@ -254,12 +254,12 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1zkp_v0_5_0_surjectio * n_ephemeral_input_tags: the number of entries in the ephemeral_input_tags array * ephemeral_output_tag: the ephemeral asset tag of the output */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_surjectionproof_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_surjectionproof* proof, - const rustsecp256k1zkp_v0_5_0_generator* ephemeral_input_tags, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_surjectionproof_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_surjectionproof* proof, + const rustsecp256k1zkp_v0_6_0_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, - const rustsecp256k1zkp_v0_5_0_generator* ephemeral_output_tag + const rustsecp256k1zkp_v0_6_0_generator* ephemeral_output_tag ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5); #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_whitelist.h b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_whitelist.h index 02e3808f..c8e2408b 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_whitelist.h +++ b/secp256k1-zkp-sys/depend/secp256k1/include/secp256k1_whitelist.h @@ -23,19 +23,19 @@ extern "C" { * will have identical representation. (That is, memcmp may return nonzero * even for identical signatures.) * - * To obtain these properties, instead use rustsecp256k1zkp_v0_5_0_whitelist_signature_parse - * and rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize to encode/decode signatures + * To obtain these properties, instead use rustsecp256k1zkp_v0_6_0_whitelist_signature_parse + * and rustsecp256k1zkp_v0_6_0_whitelist_signature_serialize to encode/decode signatures * into a well-defined format. * * The representation is exposed to allow creation of these objects on the * stack; please *do not* use these internals directly. To learn the number - * of keys for a signature, use `rustsecp256k1zkp_v0_5_0_whitelist_signature_n_keys`. + * of keys for a signature, use `rustsecp256k1zkp_v0_6_0_whitelist_signature_n_keys`. */ typedef struct { size_t n_keys; /* e0, scalars */ unsigned char data[32 * (1 + SECP256K1_WHITELIST_MAX_N_KEYS)]; -} rustsecp256k1zkp_v0_5_0_whitelist_signature; +} rustsecp256k1zkp_v0_6_0_whitelist_signature; /** Parse a whitelist signature * @@ -57,9 +57,9 @@ typedef struct { * scalar values overflow or are zero, the resulting sig value is guaranteed * to fail validation for any set of keys. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_signature_parse( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_whitelist_signature *sig, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_whitelist_signature_parse( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_whitelist_signature *sig, const unsigned char *input, size_t input_len ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -69,8 +69,8 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_signature_parse( * Returns: the number of keys for the given signature * In: sig: a pointer to a signature object */ -SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_whitelist_signature_n_keys( - const rustsecp256k1zkp_v0_5_0_whitelist_signature *sig +SECP256K1_API size_t rustsecp256k1zkp_v0_6_0_whitelist_signature_n_keys( + const rustsecp256k1zkp_v0_6_0_whitelist_signature *sig ) SECP256K1_ARG_NONNULL(1); /** Serialize a whitelist signature @@ -81,13 +81,13 @@ SECP256K1_API size_t rustsecp256k1zkp_v0_5_0_whitelist_signature_n_keys( * In/Out: output_len: length of the above array, updated with the actual serialized length * In: sig: a pointer to an initialized signature object * - * See rustsecp256k1zkp_v0_5_0_whitelist_signature_parse for details about the encoding. + * See rustsecp256k1zkp_v0_6_0_whitelist_signature_parse for details about the encoding. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize( - const rustsecp256k1zkp_v0_5_0_context* ctx, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_whitelist_signature_serialize( + const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *output_len, - const rustsecp256k1zkp_v0_5_0_whitelist_signature *sig + const rustsecp256k1zkp_v0_6_0_whitelist_signature *sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Compute a whitelist signature @@ -101,7 +101,7 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize( * online_seckey: the secret key to the signer's online pubkey * summed_seckey: the secret key to the sum of (whitelisted key, signer's offline pubkey) * index: the signer's index in the lists of keys - * noncefp:pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_5_0_nonce_function_default is used + * noncefp:pointer to a nonce generation function. If NULL, rustsecp256k1zkp_v0_6_0_nonce_function_default is used * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) * Out: sig: The produced signature. * @@ -112,17 +112,17 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize( * for each public key pair (offline_i, offline_i). Here H means sha256 of the * compressed serialization of the key. */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_sign( - const rustsecp256k1zkp_v0_5_0_context* ctx, - rustsecp256k1zkp_v0_5_0_whitelist_signature *sig, - const rustsecp256k1zkp_v0_5_0_pubkey *online_pubkeys, - const rustsecp256k1zkp_v0_5_0_pubkey *offline_pubkeys, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_whitelist_sign( + const rustsecp256k1zkp_v0_6_0_context* ctx, + rustsecp256k1zkp_v0_6_0_whitelist_signature *sig, + const rustsecp256k1zkp_v0_6_0_pubkey *online_pubkeys, + const rustsecp256k1zkp_v0_6_0_pubkey *offline_pubkeys, const size_t n_keys, - const rustsecp256k1zkp_v0_5_0_pubkey *sub_pubkey, + const rustsecp256k1zkp_v0_6_0_pubkey *sub_pubkey, const unsigned char *online_seckey, const unsigned char *summed_seckey, const size_t index, - rustsecp256k1zkp_v0_5_0_nonce_function noncefp, + rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void *noncedata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8); @@ -136,13 +136,13 @@ SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_sign( * n_keys: the number of entries in each of the above two arrays * sub_pubkey: the key to be whitelisted */ -SECP256K1_API int rustsecp256k1zkp_v0_5_0_whitelist_verify( - const rustsecp256k1zkp_v0_5_0_context* ctx, - const rustsecp256k1zkp_v0_5_0_whitelist_signature *sig, - const rustsecp256k1zkp_v0_5_0_pubkey *online_pubkeys, - const rustsecp256k1zkp_v0_5_0_pubkey *offline_pubkeys, +SECP256K1_API int rustsecp256k1zkp_v0_6_0_whitelist_verify( + const rustsecp256k1zkp_v0_6_0_context* ctx, + const rustsecp256k1zkp_v0_6_0_whitelist_signature *sig, + const rustsecp256k1zkp_v0_6_0_pubkey *online_pubkeys, + const rustsecp256k1zkp_v0_6_0_pubkey *offline_pubkeys, const size_t n_keys, - const rustsecp256k1zkp_v0_5_0_pubkey *sub_pubkey + const rustsecp256k1zkp_v0_6_0_pubkey *sub_pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(6); #ifdef __cplusplus diff --git a/secp256k1-zkp-sys/depend/secp256k1/obj/.gitignore b/secp256k1-zkp-sys/depend/secp256k1/obj/.gitignore deleted file mode 100644 index e69de29b..00000000 diff --git a/secp256k1-zkp-sys/depend/secp256k1/sage/gen_exhaustive_groups.sage b/secp256k1-zkp-sys/depend/secp256k1/sage/gen_exhaustive_groups.sage index a86cf044..ac7df28e 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/sage/gen_exhaustive_groups.sage +++ b/secp256k1-zkp-sys/depend/secp256k1/sage/gen_exhaustive_groups.sage @@ -1,4 +1,4 @@ -load("rustsecp256k1zkp_v0_5_0_params.sage") +load("rustsecp256k1zkp_v0_6_0_params.sage") orders_done = set() results = {} @@ -95,13 +95,13 @@ for f in sorted(results.keys()): G = results[f]["G"] print("# %s EXHAUSTIVE_TEST_ORDER == %i" % ("if" if first else "elif", f)) first = False - print("static const rustsecp256k1zkp_v0_5_0_ge rustsecp256k1zkp_v0_5_0_ge_const_g = SECP256K1_GE_CONST(") + print("static const rustsecp256k1zkp_v0_6_0_ge rustsecp256k1zkp_v0_6_0_ge_const_g = SECP256K1_GE_CONST(") print(" 0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(G[0]) >> (32 * (7 - i))) & 0xffffffff for i in range(4))) print(" 0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(G[0]) >> (32 * (7 - i))) & 0xffffffff for i in range(4, 8))) print(" 0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(G[1]) >> (32 * (7 - i))) & 0xffffffff for i in range(4))) print(" 0x%08x, 0x%08x, 0x%08x, 0x%08x" % tuple((int(G[1]) >> (32 * (7 - i))) & 0xffffffff for i in range(4, 8))) print(");") - print("static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_fe_const_b = SECP256K1_FE_CONST(") + print("static const rustsecp256k1zkp_v0_6_0_fe rustsecp256k1zkp_v0_6_0_fe_const_b = SECP256K1_FE_CONST(") print(" 0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(b) >> (32 * (7 - i))) & 0xffffffff for i in range(4))) print(" 0x%08x, 0x%08x, 0x%08x, 0x%08x" % tuple((int(b) >> (32 * (7 - i))) & 0xffffffff for i in range(4, 8))) print(");") diff --git a/secp256k1-zkp-sys/depend/secp256k1/sage/gen_split_lambda_constants.sage b/secp256k1-zkp-sys/depend/secp256k1/sage/gen_split_lambda_constants.sage index 80cec6e4..44be805c 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/sage/gen_split_lambda_constants.sage +++ b/secp256k1-zkp-sys/depend/secp256k1/sage/gen_split_lambda_constants.sage @@ -1,9 +1,9 @@ -""" Generates the constants used in rustsecp256k1zkp_v0_5_0_scalar_split_lambda. +""" Generates the constants used in rustsecp256k1zkp_v0_6_0_scalar_split_lambda. -See the comments for rustsecp256k1zkp_v0_5_0_scalar_split_lambda in src/scalar_impl.h for detailed explanations. +See the comments for rustsecp256k1zkp_v0_6_0_scalar_split_lambda in src/scalar_impl.h for detailed explanations. """ -load("rustsecp256k1zkp_v0_5_0_params.sage") +load("rustsecp256k1zkp_v0_6_0_params.sage") def inf_norm(v): """Returns the infinity norm of a vector.""" @@ -24,17 +24,17 @@ def gauss_reduction(i1, i2): v2[1] -= m*v1[1] def find_split_constants_gauss(): - """Find constants for rustsecp256k1zkp_v0_5_0_scalar_split_lamdba using gauss reduction.""" + """Find constants for rustsecp256k1zkp_v0_6_0_scalar_split_lamdba using gauss reduction.""" (v11, v12), (v21, v22) = gauss_reduction([0, N], [1, int(LAMBDA)]) - # We use related vectors in rustsecp256k1zkp_v0_5_0_scalar_split_lambda. + # We use related vectors in rustsecp256k1zkp_v0_6_0_scalar_split_lambda. A1, B1 = -v21, -v11 A2, B2 = v22, -v21 return A1, B1, A2, B2 def find_split_constants_explicit_tof(): - """Find constants for rustsecp256k1zkp_v0_5_0_scalar_split_lamdba using the trace of Frobenius. + """Find constants for rustsecp256k1zkp_v0_6_0_scalar_split_lamdba using the trace of Frobenius. See Benjamin Smith: "Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians" (https://eprint.iacr.org/2013/672), Example 2 @@ -51,7 +51,7 @@ def find_split_constants_explicit_tof(): A2 = Integer((t + c)/2 - 1) B2 = Integer(1 - (t - c)/2) - # We use a negated b values in rustsecp256k1zkp_v0_5_0_scalar_split_lambda. + # We use a negated b values in rustsecp256k1zkp_v0_6_0_scalar_split_lambda. B1, B2 = -B1, -B2 return A1, B1, A2, B2 @@ -90,7 +90,7 @@ def rnddiv2(v): return v >> 1 def scalar_lambda_split(k): - """Equivalent to rustsecp256k1zkp_v0_5_0_scalar_lambda_split().""" + """Equivalent to rustsecp256k1zkp_v0_6_0_scalar_lambda_split().""" c1 = rnddiv2((k * G1) >> 383) c2 = rnddiv2((k * G2) >> 383) c1 = (c1 * -B1) % N diff --git a/secp256k1-zkp-sys/depend/secp256k1/sage/prove_group_implementations.sage b/secp256k1-zkp-sys/depend/secp256k1/sage/prove_group_implementations.sage index b1400bd5..9260385f 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/sage/prove_group_implementations.sage +++ b/secp256k1-zkp-sys/depend/secp256k1/sage/prove_group_implementations.sage @@ -5,8 +5,8 @@ import sys load("group_prover.sage") load("weierstrass_prover.sage") -def formula_rustsecp256k1zkp_v0_5_0_gej_double_var(a): - """libsecp256k1's rustsecp256k1zkp_v0_5_0_gej_double_var, used by various addition functions""" +def formula_rustsecp256k1zkp_v0_6_0_gej_double_var(a): + """libsecp256k1's rustsecp256k1zkp_v0_6_0_gej_double_var, used by various addition functions""" rz = a.Z * a.Y rz = rz * 2 t1 = a.X^2 @@ -29,8 +29,8 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_double_var(a): ry = ry + t2 return jacobianpoint(rx, ry, rz) -def formula_rustsecp256k1zkp_v0_5_0_gej_add_var(branch, a, b): - """libsecp256k1's rustsecp256k1zkp_v0_5_0_gej_add_var""" +def formula_rustsecp256k1zkp_v0_6_0_gej_add_var(branch, a, b): + """libsecp256k1's rustsecp256k1zkp_v0_6_0_gej_add_var""" if branch == 0: return (constraints(), constraints(nonzero={a.Infinity : 'a_infinite'}), b) if branch == 1: @@ -48,7 +48,7 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_var(branch, a, b): i = -s1 i = i + s2 if branch == 2: - r = formula_rustsecp256k1zkp_v0_5_0_gej_double_var(a) + r = formula_rustsecp256k1zkp_v0_6_0_gej_double_var(a) return (constraints(), constraints(zero={h : 'h=0', i : 'i=0', a.Infinity : 'a_finite', b.Infinity : 'b_finite'}), r) if branch == 3: return (constraints(), constraints(zero={h : 'h=0', a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={i : 'i!=0'}), point_at_infinity()) @@ -71,8 +71,8 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_var(branch, a, b): ry = ry + h3 return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={h : 'h!=0'}), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_var(branch, a, b): - """libsecp256k1's rustsecp256k1zkp_v0_5_0_gej_add_ge_var, which assume bz==1""" +def formula_rustsecp256k1zkp_v0_6_0_gej_add_ge_var(branch, a, b): + """libsecp256k1's rustsecp256k1zkp_v0_6_0_gej_add_ge_var, which assume bz==1""" if branch == 0: return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(nonzero={a.Infinity : 'a_infinite'}), b) if branch == 1: @@ -88,7 +88,7 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_var(branch, a, b): i = -s1 i = i + s2 if (branch == 2): - r = formula_rustsecp256k1zkp_v0_5_0_gej_double_var(a) + r = formula_rustsecp256k1zkp_v0_6_0_gej_double_var(a) return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0', i : 'i=0'}), r) if (branch == 3): return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0'}, nonzero={i : 'i!=0'}), point_at_infinity()) @@ -110,8 +110,8 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_var(branch, a, b): ry = ry + h3 return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={h : 'h!=0'}), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(branch, a, b): - """libsecp256k1's rustsecp256k1zkp_v0_5_0_gej_add_zinv_var""" +def formula_rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(branch, a, b): + """libsecp256k1's rustsecp256k1zkp_v0_6_0_gej_add_zinv_var""" bzinv = b.Z^(-1) if branch == 0: return (constraints(), constraints(nonzero={b.Infinity : 'b_infinite'}), a) @@ -134,7 +134,7 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(branch, a, b): i = -s1 i = i + s2 if branch == 2: - r = formula_rustsecp256k1zkp_v0_5_0_gej_double_var(a) + r = formula_rustsecp256k1zkp_v0_6_0_gej_double_var(a) return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0', i : 'i=0'}), r) if branch == 3: return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0'}, nonzero={i : 'i!=0'}), point_at_infinity()) @@ -157,8 +157,8 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(branch, a, b): ry = ry + h3 return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={h : 'h!=0'}), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1zkp_v0_5_0_gej_add_ge(branch, a, b): - """libsecp256k1's rustsecp256k1zkp_v0_5_0_gej_add_ge""" +def formula_rustsecp256k1zkp_v0_6_0_gej_add_ge(branch, a, b): + """libsecp256k1's rustsecp256k1zkp_v0_6_0_gej_add_ge""" zeroes = {} nonzeroes = {} a_infinity = False @@ -229,8 +229,8 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_ge(branch, a, b): return (constraints(zero={b.Z - 1 : 'b.z=1', b.Infinity : 'b_finite'}), constraints(zero=zeroes, nonzero=nonzeroes), point_at_infinity()) return (constraints(zero={b.Z - 1 : 'b.z=1', b.Infinity : 'b_finite'}), constraints(zero=zeroes, nonzero=nonzeroes), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_old(branch, a, b): - """libsecp256k1's old rustsecp256k1zkp_v0_5_0_gej_add_ge, which fails when ay+by=0 but ax!=bx""" +def formula_rustsecp256k1zkp_v0_6_0_gej_add_ge_old(branch, a, b): + """libsecp256k1's old rustsecp256k1zkp_v0_6_0_gej_add_ge, which fails when ay+by=0 but ax!=bx""" a_infinity = (branch & 1) != 0 zero = {} nonzero = {} @@ -292,15 +292,15 @@ def formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_old(branch, a, b): return (constraints(zero={b.Z - 1 : 'b.z=1', b.Infinity : 'b_finite'}), constraints(zero=zero, nonzero=nonzero), jacobianpoint(rx, ry, rz)) if __name__ == "__main__": - check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_5_0_gej_add_var) - check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_var) - check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_5_0_gej_add_zinv_var) - check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_ge", 0, 7, 16, formula_rustsecp256k1zkp_v0_5_0_gej_add_ge) - check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_old) + check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_6_0_gej_add_var) + check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_6_0_gej_add_ge_var) + check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_6_0_gej_add_zinv_var) + check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_ge", 0, 7, 16, formula_rustsecp256k1zkp_v0_6_0_gej_add_ge) + check_symbolic_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1zkp_v0_6_0_gej_add_ge_old) if len(sys.argv) >= 2 and sys.argv[1] == "--exhaustive": - check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_5_0_gej_add_var, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_var, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_5_0_gej_add_zinv_var, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_ge", 0, 7, 16, formula_rustsecp256k1zkp_v0_5_0_gej_add_ge, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_5_0_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1zkp_v0_5_0_gej_add_ge_old, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_6_0_gej_add_var, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_6_0_gej_add_ge_var, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1zkp_v0_6_0_gej_add_zinv_var, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_ge", 0, 7, 16, formula_rustsecp256k1zkp_v0_6_0_gej_add_ge, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1zkp_v0_6_0_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1zkp_v0_6_0_gej_add_ge_old, 43) diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/asm/field_10x26_arm.s b/secp256k1-zkp-sys/depend/secp256k1/src/asm/field_10x26_arm.s index 6daba204..fcee8a85 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/asm/field_10x26_arm.s +++ b/secp256k1-zkp-sys/depend/secp256k1/src/asm/field_10x26_arm.s @@ -27,8 +27,8 @@ Note: .set field_not_M, 0xfc000000 @ ~M = ~0x3ffffff .align 2 - .global rustsecp256k1zkp_v0_5_0_fe_mul_inner - .type rustsecp256k1zkp_v0_5_0_fe_mul_inner, %function + .global rustsecp256k1zkp_v0_6_0_fe_mul_inner + .type rustsecp256k1zkp_v0_6_0_fe_mul_inner, %function @ Arguments: @ r0 r Restrict: can overlap with a, not with b @ r1 a @@ -36,7 +36,7 @@ Note: @ Stack (total 4+10*4 = 44) @ sp + #0 saved 'r' pointer @ sp + #4 + 4*X t0,t1,t2,t3,t4,t5,t6,t7,u8,t9 -rustsecp256k1zkp_v0_5_0_fe_mul_inner: +rustsecp256k1zkp_v0_6_0_fe_mul_inner: stmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, r14} sub sp, sp, #48 @ frame=44 + alignment str r0, [sp, #0] @ save result address, we need it only at the end @@ -511,18 +511,18 @@ rustsecp256k1zkp_v0_5_0_fe_mul_inner: add sp, sp, #48 ldmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc} - .size rustsecp256k1zkp_v0_5_0_fe_mul_inner, .-rustsecp256k1zkp_v0_5_0_fe_mul_inner + .size rustsecp256k1zkp_v0_6_0_fe_mul_inner, .-rustsecp256k1zkp_v0_6_0_fe_mul_inner .align 2 - .global rustsecp256k1zkp_v0_5_0_fe_sqr_inner - .type rustsecp256k1zkp_v0_5_0_fe_sqr_inner, %function + .global rustsecp256k1zkp_v0_6_0_fe_sqr_inner + .type rustsecp256k1zkp_v0_6_0_fe_sqr_inner, %function @ Arguments: @ r0 r Can overlap with a @ r1 a @ Stack (total 4+10*4 = 44) @ sp + #0 saved 'r' pointer @ sp + #4 + 4*X t0,t1,t2,t3,t4,t5,t6,t7,u8,t9 -rustsecp256k1zkp_v0_5_0_fe_sqr_inner: +rustsecp256k1zkp_v0_6_0_fe_sqr_inner: stmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, r14} sub sp, sp, #48 @ frame=44 + alignment str r0, [sp, #0] @ save result address, we need it only at the end @@ -909,5 +909,5 @@ rustsecp256k1zkp_v0_5_0_fe_sqr_inner: add sp, sp, #48 ldmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc} - .size rustsecp256k1zkp_v0_5_0_fe_sqr_inner, .-rustsecp256k1zkp_v0_5_0_fe_sqr_inner + .size rustsecp256k1zkp_v0_6_0_fe_sqr_inner, .-rustsecp256k1zkp_v0_6_0_fe_sqr_inner diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/assumptions.h b/secp256k1-zkp-sys/depend/secp256k1/src/assumptions.h index 8db12a63..abf71ebc 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/assumptions.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/assumptions.h @@ -16,7 +16,7 @@ reduce the odds of experiencing an unwelcome surprise. */ -struct rustsecp256k1zkp_v0_5_0_assumption_checker { +struct rustsecp256k1zkp_v0_6_0_assumption_checker { /* This uses a trick to implement a static assertion in C89: a type with an array of negative size is not allowed. */ int dummy_array[( diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/basic-config.h b/secp256k1-zkp-sys/depend/secp256k1/src/basic-config.h index bb6b5825..6f7693cb 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/basic-config.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/basic-config.h @@ -9,25 +9,8 @@ #ifdef USE_BASIC_CONFIG -#undef USE_ASM_X86_64 -#undef USE_ECMULT_STATIC_PRECOMPUTATION -#undef USE_EXTERNAL_ASM -#undef USE_EXTERNAL_DEFAULT_CALLBACKS -#undef USE_FIELD_INV_BUILTIN -#undef USE_FIELD_INV_NUM -#undef USE_NUM_GMP -#undef USE_NUM_NONE -#undef USE_SCALAR_INV_BUILTIN -#undef USE_SCALAR_INV_NUM -#undef USE_FORCE_WIDEMUL_INT64 -#undef USE_FORCE_WIDEMUL_INT128 -#undef ECMULT_WINDOW_SIZE - -#define USE_NUM_NONE 1 -#define USE_FIELD_INV_BUILTIN 1 -#define USE_SCALAR_INV_BUILTIN 1 -#define USE_WIDEMUL_64 1 #define ECMULT_WINDOW_SIZE 15 +#define ECMULT_GEN_PREC_BITS 4 #endif /* USE_BASIC_CONFIG */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecdh.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecdh.c index 41fee681..397ea9af 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecdh.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecdh.c @@ -6,14 +6,14 @@ #include -#include "include/secp256k1.h" -#include "include/secp256k1_ecdh.h" +#include "../include/secp256k1.h" +#include "../include/secp256k1_ecdh.h" #include "util.h" #include "bench.h" typedef struct { - rustsecp256k1zkp_v0_5_0_context *ctx; - rustsecp256k1zkp_v0_5_0_pubkey point; + rustsecp256k1zkp_v0_6_0_context *ctx; + rustsecp256k1zkp_v0_6_0_pubkey point; unsigned char scalar[32]; } bench_ecdh_data; @@ -31,7 +31,7 @@ static void bench_ecdh_setup(void* arg) { for (i = 0; i < 32; i++) { data->scalar[i] = i + 1; } - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(data->ctx, &data->point, point, sizeof(point)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(data->ctx, &data->point, point, sizeof(point)) == 1); } static void bench_ecdh(void* arg, int iters) { @@ -40,7 +40,7 @@ static void bench_ecdh(void* arg, int iters) { bench_ecdh_data *data = (bench_ecdh_data*)arg; for (i = 0; i < iters; i++) { - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(data->ctx, res, &data->point, data->scalar, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(data->ctx, res, &data->point, data->scalar, NULL, NULL) == 1); } } @@ -50,10 +50,10 @@ int main(void) { int iters = get_iters(20000); /* create a context with no capabilities */ - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_FLAGS_TYPE_CONTEXT); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_FLAGS_TYPE_CONTEXT); run_benchmark("ecdh", bench_ecdh, bench_ecdh_setup, NULL, &data, 10, iters); - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecmult.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecmult.c index 6565f9f1..295a8439 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecmult.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_ecmult.c @@ -5,48 +5,192 @@ ***********************************************************************/ #include -#include "include/secp256k1.h" +#include "secp256k1.c" +#include "../include/secp256k1.h" #include "util.h" #include "hash_impl.h" -#include "num_impl.h" #include "field_impl.h" #include "group_impl.h" #include "scalar_impl.h" #include "ecmult_impl.h" #include "bench.h" -#include "secp256k1.c" #define POINTS 32768 +void help(char **argv) { + printf("Benchmark EC multiplication algorithms\n"); + printf("\n"); + printf("Usage: %s \n", argv[0]); + printf("The output shows the number of multiplied and summed points right after the\n"); + printf("function name. The letter 'g' indicates that one of the points is the generator.\n"); + printf("The benchmarks are divided by the number of points.\n"); + printf("\n"); + printf("default (ecmult_multi): picks pippenger_wnaf or strauss_wnaf depending on the\n"); + printf(" batch size\n"); + printf("pippenger_wnaf: for all batch sizes\n"); + printf("strauss_wnaf: for all batch sizes\n"); + printf("simple: multiply and sum each point individually\n"); +} + typedef struct { /* Setup once in advance */ - rustsecp256k1zkp_v0_5_0_context* ctx; - rustsecp256k1zkp_v0_5_0_scratch_space* scratch; - rustsecp256k1zkp_v0_5_0_scalar* scalars; - rustsecp256k1zkp_v0_5_0_ge* pubkeys; - rustsecp256k1zkp_v0_5_0_scalar* seckeys; - rustsecp256k1zkp_v0_5_0_gej* expected_output; - rustsecp256k1zkp_v0_5_0_ecmult_multi_func ecmult_multi; - - /* Changes per test */ + rustsecp256k1zkp_v0_6_0_context* ctx; + rustsecp256k1zkp_v0_6_0_scratch_space* scratch; + rustsecp256k1zkp_v0_6_0_scalar* scalars; + rustsecp256k1zkp_v0_6_0_ge* pubkeys; + rustsecp256k1zkp_v0_6_0_gej* pubkeys_gej; + rustsecp256k1zkp_v0_6_0_scalar* seckeys; + rustsecp256k1zkp_v0_6_0_gej* expected_output; + rustsecp256k1zkp_v0_6_0_ecmult_multi_func ecmult_multi; + + /* Changes per benchmark */ size_t count; int includes_g; - /* Changes per test iteration */ + /* Changes per benchmark iteration, used to pick different scalars and pubkeys + * in each run. */ size_t offset1; size_t offset2; - /* Test output. */ - rustsecp256k1zkp_v0_5_0_gej* output; + /* Benchmark output. */ + rustsecp256k1zkp_v0_6_0_gej* output; } bench_data; -static int bench_callback(rustsecp256k1zkp_v0_5_0_scalar* sc, rustsecp256k1zkp_v0_5_0_ge* ge, size_t idx, void* arg) { +/* Hashes x into [0, POINTS) twice and store the result in offset1 and offset2. */ +static void hash_into_offset(bench_data* data, size_t x) { + data->offset1 = (x * 0x537b7f6f + 0x8f66a481) % POINTS; + data->offset2 = (x * 0x7f6f537b + 0x6a1a8f49) % POINTS; +} + +/* Check correctness of the benchmark by computing + * sum(outputs) ?= (sum(scalars_gen) + sum(seckeys)*sum(scalars))*G */ +static void bench_ecmult_teardown_helper(bench_data* data, size_t* seckey_offset, size_t* scalar_offset, size_t* scalar_gen_offset, int iters) { + int i; + rustsecp256k1zkp_v0_6_0_gej sum_output, tmp; + rustsecp256k1zkp_v0_6_0_scalar sum_scalars; + + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&sum_output); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sum_scalars); + for (i = 0; i < iters; ++i) { + rustsecp256k1zkp_v0_6_0_gej_add_var(&sum_output, &sum_output, &data->output[i], NULL); + if (scalar_gen_offset != NULL) { + rustsecp256k1zkp_v0_6_0_scalar_add(&sum_scalars, &sum_scalars, &data->scalars[(*scalar_gen_offset+i) % POINTS]); + } + if (seckey_offset != NULL) { + rustsecp256k1zkp_v0_6_0_scalar s = data->seckeys[(*seckey_offset+i) % POINTS]; + rustsecp256k1zkp_v0_6_0_scalar_mul(&s, &s, &data->scalars[(*scalar_offset+i) % POINTS]); + rustsecp256k1zkp_v0_6_0_scalar_add(&sum_scalars, &sum_scalars, &s); + } + } + rustsecp256k1zkp_v0_6_0_ecmult_gen(&data->ctx->ecmult_gen_ctx, &tmp, &sum_scalars); + rustsecp256k1zkp_v0_6_0_gej_neg(&tmp, &tmp); + rustsecp256k1zkp_v0_6_0_gej_add_var(&tmp, &tmp, &sum_output, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&tmp)); +} + +static void bench_ecmult_setup(void* arg) { + bench_data* data = (bench_data*)arg; + /* Re-randomize offset to ensure that we're using different scalars and + * group elements in each run. */ + hash_into_offset(data, data->offset1); +} + +static void bench_ecmult_gen(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + int i; + + for (i = 0; i < iters; ++i) { + rustsecp256k1zkp_v0_6_0_ecmult_gen(&data->ctx->ecmult_gen_ctx, &data->output[i], &data->scalars[(data->offset1+i) % POINTS]); + } +} + +static void bench_ecmult_gen_teardown(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + bench_ecmult_teardown_helper(data, NULL, NULL, &data->offset1, iters); +} + +static void bench_ecmult_const(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + int i; + + for (i = 0; i < iters; ++i) { + rustsecp256k1zkp_v0_6_0_ecmult_const(&data->output[i], &data->pubkeys[(data->offset1+i) % POINTS], &data->scalars[(data->offset2+i) % POINTS], 256); + } +} + +static void bench_ecmult_const_teardown(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + bench_ecmult_teardown_helper(data, &data->offset1, &data->offset2, NULL, iters); +} + +static void bench_ecmult_1(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + int i; + + for (i = 0; i < iters; ++i) { + rustsecp256k1zkp_v0_6_0_ecmult(&data->ctx->ecmult_ctx, &data->output[i], &data->pubkeys_gej[(data->offset1+i) % POINTS], &data->scalars[(data->offset2+i) % POINTS], NULL); + } +} + +static void bench_ecmult_1_teardown(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + bench_ecmult_teardown_helper(data, &data->offset1, &data->offset2, NULL, iters); +} + +static void bench_ecmult_1g(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + rustsecp256k1zkp_v0_6_0_scalar zero; + int i; + + rustsecp256k1zkp_v0_6_0_scalar_set_int(&zero, 0); + for (i = 0; i < iters; ++i) { + rustsecp256k1zkp_v0_6_0_ecmult(&data->ctx->ecmult_ctx, &data->output[i], NULL, &zero, &data->scalars[(data->offset1+i) % POINTS]); + } +} + +static void bench_ecmult_1g_teardown(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + bench_ecmult_teardown_helper(data, NULL, NULL, &data->offset1, iters); +} + +static void bench_ecmult_2g(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + int i; + + for (i = 0; i < iters/2; ++i) { + rustsecp256k1zkp_v0_6_0_ecmult(&data->ctx->ecmult_ctx, &data->output[i], &data->pubkeys_gej[(data->offset1+i) % POINTS], &data->scalars[(data->offset2+i) % POINTS], &data->scalars[(data->offset1+i) % POINTS]); + } +} + +static void bench_ecmult_2g_teardown(void* arg, int iters) { + bench_data* data = (bench_data*)arg; + bench_ecmult_teardown_helper(data, &data->offset1, &data->offset2, &data->offset1, iters/2); +} + +static void run_ecmult_bench(bench_data* data, int iters) { + char str[32]; + sprintf(str, "ecmult_gen"); + run_benchmark(str, bench_ecmult_gen, bench_ecmult_setup, bench_ecmult_gen_teardown, data, 10, iters); + sprintf(str, "ecmult_const"); + run_benchmark(str, bench_ecmult_const, bench_ecmult_setup, bench_ecmult_const_teardown, data, 10, iters); + /* ecmult with non generator point */ + sprintf(str, "ecmult 1"); + run_benchmark(str, bench_ecmult_1, bench_ecmult_setup, bench_ecmult_1_teardown, data, 10, iters); + /* ecmult with generator point */ + sprintf(str, "ecmult 1g"); + run_benchmark(str, bench_ecmult_1g, bench_ecmult_setup, bench_ecmult_1g_teardown, data, 10, iters); + /* ecmult with generator and non-generator point. The reported time is per point. */ + sprintf(str, "ecmult 2g"); + run_benchmark(str, bench_ecmult_2g, bench_ecmult_setup, bench_ecmult_2g_teardown, data, 10, 2*iters); +} + +static int bench_ecmult_multi_callback(rustsecp256k1zkp_v0_6_0_scalar* sc, rustsecp256k1zkp_v0_6_0_ge* ge, size_t idx, void* arg) { bench_data* data = (bench_data*)arg; if (data->includes_g) ++idx; if (idx == 0) { *sc = data->scalars[data->offset1]; - *ge = rustsecp256k1zkp_v0_5_0_ge_const_g; + *ge = rustsecp256k1zkp_v0_6_0_ge_const_g; } else { *sc = data->scalars[(data->offset1 + idx) % POINTS]; *ge = data->pubkeys[(data->offset2 + idx - 1) % POINTS]; @@ -54,7 +198,7 @@ static int bench_callback(rustsecp256k1zkp_v0_5_0_scalar* sc, rustsecp256k1zkp_v return 1; } -static void bench_ecmult(void* arg, int iters) { +static void bench_ecmult_multi(void* arg, int iters) { bench_data* data = (bench_data*)arg; int includes_g = data->includes_g; @@ -63,49 +207,48 @@ static void bench_ecmult(void* arg, int iters) { iters = iters / data->count; for (iter = 0; iter < iters; ++iter) { - data->ecmult_multi(&data->ctx->error_callback, &data->ctx->ecmult_ctx, data->scratch, &data->output[iter], data->includes_g ? &data->scalars[data->offset1] : NULL, bench_callback, arg, count - includes_g); + data->ecmult_multi(&data->ctx->error_callback, &data->ctx->ecmult_ctx, data->scratch, &data->output[iter], data->includes_g ? &data->scalars[data->offset1] : NULL, bench_ecmult_multi_callback, arg, count - includes_g); data->offset1 = (data->offset1 + count) % POINTS; data->offset2 = (data->offset2 + count - 1) % POINTS; } } -static void bench_ecmult_setup(void* arg) { +static void bench_ecmult_multi_setup(void* arg) { bench_data* data = (bench_data*)arg; - data->offset1 = (data->count * 0x537b7f6f + 0x8f66a481) % POINTS; - data->offset2 = (data->count * 0x7f6f537b + 0x6a1a8f49) % POINTS; + hash_into_offset(data, data->count); } -static void bench_ecmult_teardown(void* arg, int iters) { +static void bench_ecmult_multi_teardown(void* arg, int iters) { bench_data* data = (bench_data*)arg; int iter; iters = iters / data->count; /* Verify the results in teardown, to avoid doing comparisons while benchmarking. */ for (iter = 0; iter < iters; ++iter) { - rustsecp256k1zkp_v0_5_0_gej tmp; - rustsecp256k1zkp_v0_5_0_gej_add_var(&tmp, &data->output[iter], &data->expected_output[iter], NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&tmp)); + rustsecp256k1zkp_v0_6_0_gej tmp; + rustsecp256k1zkp_v0_6_0_gej_add_var(&tmp, &data->output[iter], &data->expected_output[iter], NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&tmp)); } } -static void generate_scalar(uint32_t num, rustsecp256k1zkp_v0_5_0_scalar* scalar) { - rustsecp256k1zkp_v0_5_0_sha256 sha256; - unsigned char c[11] = {'e', 'c', 'm', 'u', 'l', 't', 0, 0, 0, 0}; +static void generate_scalar(uint32_t num, rustsecp256k1zkp_v0_6_0_scalar* scalar) { + rustsecp256k1zkp_v0_6_0_sha256 sha256; + unsigned char c[10] = {'e', 'c', 'm', 'u', 'l', 't', 0, 0, 0, 0}; unsigned char buf[32]; int overflow = 0; c[6] = num; c[7] = num >> 8; c[8] = num >> 16; c[9] = num >> 24; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256, c, sizeof(c)); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256, buf); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(scalar, buf, &overflow); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256, c, sizeof(c)); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256, buf); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(scalar, buf, &overflow); CHECK(!overflow); } -static void run_test(bench_data* data, size_t count, int includes_g, int num_iters) { +static void run_ecmult_multi_bench(bench_data* data, size_t count, int includes_g, int num_iters) { char str[32]; - static const rustsecp256k1zkp_v0_5_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + static const rustsecp256k1zkp_v0_6_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); size_t iters = 1 + num_iters / count; size_t iter; @@ -113,80 +256,89 @@ static void run_test(bench_data* data, size_t count, int includes_g, int num_ite data->includes_g = includes_g; /* Compute (the negation of) the expected results directly. */ - data->offset1 = (data->count * 0x537b7f6f + 0x8f66a481) % POINTS; - data->offset2 = (data->count * 0x7f6f537b + 0x6a1a8f49) % POINTS; + hash_into_offset(data, data->count); for (iter = 0; iter < iters; ++iter) { - rustsecp256k1zkp_v0_5_0_scalar tmp; - rustsecp256k1zkp_v0_5_0_scalar total = data->scalars[(data->offset1++) % POINTS]; + rustsecp256k1zkp_v0_6_0_scalar tmp; + rustsecp256k1zkp_v0_6_0_scalar total = data->scalars[(data->offset1++) % POINTS]; size_t i = 0; for (i = 0; i + 1 < count; ++i) { - rustsecp256k1zkp_v0_5_0_scalar_mul(&tmp, &data->seckeys[(data->offset2++) % POINTS], &data->scalars[(data->offset1++) % POINTS]); - rustsecp256k1zkp_v0_5_0_scalar_add(&total, &total, &tmp); + rustsecp256k1zkp_v0_6_0_scalar_mul(&tmp, &data->seckeys[(data->offset2++) % POINTS], &data->scalars[(data->offset1++) % POINTS]); + rustsecp256k1zkp_v0_6_0_scalar_add(&total, &total, &tmp); } - rustsecp256k1zkp_v0_5_0_scalar_negate(&total, &total); - rustsecp256k1zkp_v0_5_0_ecmult(&data->ctx->ecmult_ctx, &data->expected_output[iter], NULL, &zero, &total); + rustsecp256k1zkp_v0_6_0_scalar_negate(&total, &total); + rustsecp256k1zkp_v0_6_0_ecmult(&data->ctx->ecmult_ctx, &data->expected_output[iter], NULL, &zero, &total); } /* Run the benchmark. */ - sprintf(str, includes_g ? "ecmult_%ig" : "ecmult_%i", (int)count); - run_benchmark(str, bench_ecmult, bench_ecmult_setup, bench_ecmult_teardown, data, 10, count * iters); + sprintf(str, includes_g ? "ecmult_multi %ig" : "ecmult_multi %i", (int)count); + run_benchmark(str, bench_ecmult_multi, bench_ecmult_multi_setup, bench_ecmult_multi_teardown, data, 10, count * iters); } int main(int argc, char **argv) { bench_data data; int i, p; - rustsecp256k1zkp_v0_5_0_gej* pubkeys_gej; size_t scratch_size; int iters = get_iters(10000); - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - scratch_size = rustsecp256k1zkp_v0_5_0_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*16; - data.scratch = rustsecp256k1zkp_v0_5_0_scratch_space_create(data.ctx, scratch_size); - data.ecmult_multi = rustsecp256k1zkp_v0_5_0_ecmult_multi_var; + data.ecmult_multi = rustsecp256k1zkp_v0_6_0_ecmult_multi_var; if (argc > 1) { - if(have_flag(argc, argv, "pippenger_wnaf")) { + if(have_flag(argc, argv, "-h") + || have_flag(argc, argv, "--help") + || have_flag(argc, argv, "help")) { + help(argv); + return 1; + } else if(have_flag(argc, argv, "pippenger_wnaf")) { printf("Using pippenger_wnaf:\n"); - data.ecmult_multi = rustsecp256k1zkp_v0_5_0_ecmult_pippenger_batch_single; + data.ecmult_multi = rustsecp256k1zkp_v0_6_0_ecmult_pippenger_batch_single; } else if(have_flag(argc, argv, "strauss_wnaf")) { printf("Using strauss_wnaf:\n"); - data.ecmult_multi = rustsecp256k1zkp_v0_5_0_ecmult_strauss_batch_single; + data.ecmult_multi = rustsecp256k1zkp_v0_6_0_ecmult_strauss_batch_single; } else if(have_flag(argc, argv, "simple")) { printf("Using simple algorithm:\n"); - data.ecmult_multi = rustsecp256k1zkp_v0_5_0_ecmult_multi_var; - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(data.ctx, data.scratch); - data.scratch = NULL; } else { - fprintf(stderr, "%s: unrecognized argument '%s'.\n", argv[0], argv[1]); - fprintf(stderr, "Use 'pippenger_wnaf', 'strauss_wnaf', 'simple' or no argument to benchmark a combined algorithm.\n"); + fprintf(stderr, "%s: unrecognized argument '%s'.\n\n", argv[0], argv[1]); + help(argv); return 1; } } + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + scratch_size = rustsecp256k1zkp_v0_6_0_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*16; + if (!have_flag(argc, argv, "simple")) { + data.scratch = rustsecp256k1zkp_v0_6_0_scratch_space_create(data.ctx, scratch_size); + } else { + data.scratch = NULL; + } + /* Allocate stuff */ - data.scalars = malloc(sizeof(rustsecp256k1zkp_v0_5_0_scalar) * POINTS); - data.seckeys = malloc(sizeof(rustsecp256k1zkp_v0_5_0_scalar) * POINTS); - data.pubkeys = malloc(sizeof(rustsecp256k1zkp_v0_5_0_ge) * POINTS); - data.expected_output = malloc(sizeof(rustsecp256k1zkp_v0_5_0_gej) * (iters + 1)); - data.output = malloc(sizeof(rustsecp256k1zkp_v0_5_0_gej) * (iters + 1)); + data.scalars = malloc(sizeof(rustsecp256k1zkp_v0_6_0_scalar) * POINTS); + data.seckeys = malloc(sizeof(rustsecp256k1zkp_v0_6_0_scalar) * POINTS); + data.pubkeys = malloc(sizeof(rustsecp256k1zkp_v0_6_0_ge) * POINTS); + data.pubkeys_gej = malloc(sizeof(rustsecp256k1zkp_v0_6_0_gej) * POINTS); + data.expected_output = malloc(sizeof(rustsecp256k1zkp_v0_6_0_gej) * (iters + 1)); + data.output = malloc(sizeof(rustsecp256k1zkp_v0_6_0_gej) * (iters + 1)); /* Generate a set of scalars, and private/public keypairs. */ - pubkeys_gej = malloc(sizeof(rustsecp256k1zkp_v0_5_0_gej) * POINTS); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pubkeys_gej[0], &rustsecp256k1zkp_v0_5_0_ge_const_g); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&data.seckeys[0], 1); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&data.pubkeys_gej[0], &rustsecp256k1zkp_v0_6_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&data.seckeys[0], 1); for (i = 0; i < POINTS; ++i) { generate_scalar(i, &data.scalars[i]); if (i) { - rustsecp256k1zkp_v0_5_0_gej_double_var(&pubkeys_gej[i], &pubkeys_gej[i - 1], NULL); - rustsecp256k1zkp_v0_5_0_scalar_add(&data.seckeys[i], &data.seckeys[i - 1], &data.seckeys[i - 1]); + rustsecp256k1zkp_v0_6_0_gej_double_var(&data.pubkeys_gej[i], &data.pubkeys_gej[i - 1], NULL); + rustsecp256k1zkp_v0_6_0_scalar_add(&data.seckeys[i], &data.seckeys[i - 1], &data.seckeys[i - 1]); } } - rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(data.pubkeys, pubkeys_gej, POINTS); - free(pubkeys_gej); + rustsecp256k1zkp_v0_6_0_ge_set_all_gej_var(data.pubkeys, data.pubkeys_gej, POINTS); + + + /* Initialize offset1 and offset2 */ + hash_into_offset(&data, 0); + run_ecmult_bench(&data, iters); for (i = 1; i <= 8; ++i) { - run_test(&data, i, 1, iters); + run_ecmult_multi_bench(&data, i, 1, iters); } /* This is disabled with low count of iterations because the loop runs 77 times even with iters=1 @@ -195,17 +347,18 @@ int main(int argc, char **argv) { if (iters > 2) { for (p = 0; p <= 11; ++p) { for (i = 9; i <= 16; ++i) { - run_test(&data, i << p, 1, iters); + run_ecmult_multi_bench(&data, i << p, 1, iters); } } } if (data.scratch != NULL) { - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(data.ctx, data.scratch); + rustsecp256k1zkp_v0_6_0_scratch_space_destroy(data.ctx, data.scratch); } - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); free(data.scalars); free(data.pubkeys); + free(data.pubkeys_gej); free(data.seckeys); free(data.output); free(data.expected_output); diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_generator.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_generator.c index 1a4c5658..94f43842 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_generator.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_generator.c @@ -12,7 +12,7 @@ #include "bench.h" typedef struct { - rustsecp256k1zkp_v0_5_0_context* ctx; + rustsecp256k1zkp_v0_6_0_context* ctx; unsigned char key[32]; unsigned char blind[32]; } bench_generator_t; @@ -28,8 +28,8 @@ static void bench_generator_generate(void* arg, int iters) { bench_generator_t *data = (bench_generator_t*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_generator gen; - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate(data->ctx, &gen, data->key)); + rustsecp256k1zkp_v0_6_0_generator gen; + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate(data->ctx, &gen, data->key)); data->key[i & 31]++; } } @@ -39,8 +39,8 @@ static void bench_generator_generate_blinded(void* arg, int iters) { bench_generator_t *data = (bench_generator_t*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_generator gen; - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(data->ctx, &gen, data->key, data->blind)); + rustsecp256k1zkp_v0_6_0_generator gen; + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(data->ctx, &gen, data->key, data->blind)); data->key[1 + (i & 30)]++; data->blind[1 + (i & 30)]++; } @@ -50,11 +50,11 @@ int main(void) { bench_generator_t data; int iters = get_iters(20000); - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); run_benchmark("generator_generate", bench_generator_generate, bench_generator_setup, NULL, &data, 10, iters); run_benchmark("generator_generate_blinded", bench_generator_generate_blinded, bench_generator_setup, NULL, &data, 10, iters); - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_internal.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_internal.c index 507efa01..e72fb598 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_internal.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_internal.c @@ -5,25 +5,24 @@ ***********************************************************************/ #include -#include "include/secp256k1.h" +#include "secp256k1.c" +#include "../include/secp256k1.h" #include "assumptions.h" #include "util.h" #include "hash_impl.h" -#include "num_impl.h" #include "field_impl.h" #include "group_impl.h" #include "scalar_impl.h" #include "ecmult_const_impl.h" #include "ecmult_impl.h" #include "bench.h" -#include "secp256k1.c" typedef struct { - rustsecp256k1zkp_v0_5_0_scalar scalar[2]; - rustsecp256k1zkp_v0_5_0_fe fe[4]; - rustsecp256k1zkp_v0_5_0_ge ge[2]; - rustsecp256k1zkp_v0_5_0_gej gej[2]; + rustsecp256k1zkp_v0_6_0_scalar scalar[2]; + rustsecp256k1zkp_v0_6_0_fe fe[4]; + rustsecp256k1zkp_v0_6_0_ge ge[2]; + rustsecp256k1zkp_v0_6_0_gej gej[2]; unsigned char data[64]; int wnaf[256]; } bench_inv; @@ -64,18 +63,18 @@ void bench_setup(void* arg) { } }; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&data->scalar[0], init[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&data->scalar[1], init[1], NULL); - rustsecp256k1zkp_v0_5_0_fe_set_b32(&data->fe[0], init[0]); - rustsecp256k1zkp_v0_5_0_fe_set_b32(&data->fe[1], init[1]); - rustsecp256k1zkp_v0_5_0_fe_set_b32(&data->fe[2], init[2]); - rustsecp256k1zkp_v0_5_0_fe_set_b32(&data->fe[3], init[3]); - CHECK(rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&data->ge[0], &data->fe[0], 0)); - CHECK(rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&data->ge[1], &data->fe[1], 1)); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&data->gej[0], &data->ge[0]); - rustsecp256k1zkp_v0_5_0_gej_rescale(&data->gej[0], &data->fe[2]); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&data->gej[1], &data->ge[1]); - rustsecp256k1zkp_v0_5_0_gej_rescale(&data->gej[1], &data->fe[3]); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&data->scalar[0], init[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&data->scalar[1], init[1], NULL); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&data->fe[0], init[0]); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&data->fe[1], init[1]); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&data->fe[2], init[2]); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&data->fe[3], init[3]); + CHECK(rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&data->ge[0], &data->fe[0], 0)); + CHECK(rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&data->ge[1], &data->fe[1], 1)); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&data->gej[0], &data->ge[0]); + rustsecp256k1zkp_v0_6_0_gej_rescale(&data->gej[0], &data->fe[2]); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&data->gej[1], &data->ge[1]); + rustsecp256k1zkp_v0_6_0_gej_rescale(&data->gej[1], &data->fe[3]); memcpy(data->data, init[0], 32); memcpy(data->data + 32, init[1], 32); } @@ -85,7 +84,7 @@ void bench_scalar_add(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - j += rustsecp256k1zkp_v0_5_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); + j += rustsecp256k1zkp_v0_6_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); } CHECK(j <= iters); } @@ -95,16 +94,7 @@ void bench_scalar_negate(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&data->scalar[0], &data->scalar[0]); - } -} - -void bench_scalar_sqr(void* arg, int iters) { - int i; - bench_inv *data = (bench_inv*)arg; - - for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(&data->scalar[0], &data->scalar[0]); + rustsecp256k1zkp_v0_6_0_scalar_negate(&data->scalar[0], &data->scalar[0]); } } @@ -113,7 +103,7 @@ void bench_scalar_mul(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_scalar_mul(&data->scalar[0], &data->scalar[0], &data->scalar[1]); + rustsecp256k1zkp_v0_6_0_scalar_mul(&data->scalar[0], &data->scalar[0], &data->scalar[1]); } } @@ -122,8 +112,8 @@ void bench_scalar_split(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_scalar_split_lambda(&data->scalar[0], &data->scalar[1], &data->scalar[0]); - j += rustsecp256k1zkp_v0_5_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); + rustsecp256k1zkp_v0_6_0_scalar_split_lambda(&data->scalar[0], &data->scalar[1], &data->scalar[0]); + j += rustsecp256k1zkp_v0_6_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); } CHECK(j <= iters); } @@ -133,8 +123,8 @@ void bench_scalar_inverse(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_scalar_inverse(&data->scalar[0], &data->scalar[0]); - j += rustsecp256k1zkp_v0_5_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); + rustsecp256k1zkp_v0_6_0_scalar_inverse(&data->scalar[0], &data->scalar[0]); + j += rustsecp256k1zkp_v0_6_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); } CHECK(j <= iters); } @@ -144,8 +134,8 @@ void bench_scalar_inverse_var(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_scalar_inverse_var(&data->scalar[0], &data->scalar[0]); - j += rustsecp256k1zkp_v0_5_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); + rustsecp256k1zkp_v0_6_0_scalar_inverse_var(&data->scalar[0], &data->scalar[0]); + j += rustsecp256k1zkp_v0_6_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); } CHECK(j <= iters); } @@ -155,7 +145,7 @@ void bench_field_normalize(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_fe_normalize(&data->fe[0]); + rustsecp256k1zkp_v0_6_0_fe_normalize(&data->fe[0]); } } @@ -164,7 +154,7 @@ void bench_field_normalize_weak(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&data->fe[0]); + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&data->fe[0]); } } @@ -173,7 +163,7 @@ void bench_field_mul(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_fe_mul(&data->fe[0], &data->fe[0], &data->fe[1]); + rustsecp256k1zkp_v0_6_0_fe_mul(&data->fe[0], &data->fe[0], &data->fe[1]); } } @@ -182,7 +172,7 @@ void bench_field_sqr(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&data->fe[0], &data->fe[0]); + rustsecp256k1zkp_v0_6_0_fe_sqr(&data->fe[0], &data->fe[0]); } } @@ -191,8 +181,8 @@ void bench_field_inverse(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_fe_inv(&data->fe[0], &data->fe[0]); - rustsecp256k1zkp_v0_5_0_fe_add(&data->fe[0], &data->fe[1]); + rustsecp256k1zkp_v0_6_0_fe_inv(&data->fe[0], &data->fe[0]); + rustsecp256k1zkp_v0_6_0_fe_add(&data->fe[0], &data->fe[1]); } } @@ -201,20 +191,20 @@ void bench_field_inverse_var(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_fe_inv_var(&data->fe[0], &data->fe[0]); - rustsecp256k1zkp_v0_5_0_fe_add(&data->fe[0], &data->fe[1]); + rustsecp256k1zkp_v0_6_0_fe_inv_var(&data->fe[0], &data->fe[0]); + rustsecp256k1zkp_v0_6_0_fe_add(&data->fe[0], &data->fe[1]); } } void bench_field_sqrt(void* arg, int iters) { int i, j = 0; bench_inv *data = (bench_inv*)arg; - rustsecp256k1zkp_v0_5_0_fe t; + rustsecp256k1zkp_v0_6_0_fe t; for (i = 0; i < iters; i++) { t = data->fe[0]; - j += rustsecp256k1zkp_v0_5_0_fe_sqrt(&data->fe[0], &t); - rustsecp256k1zkp_v0_5_0_fe_add(&data->fe[0], &data->fe[1]); + j += rustsecp256k1zkp_v0_6_0_fe_sqrt(&data->fe[0], &t); + rustsecp256k1zkp_v0_6_0_fe_add(&data->fe[0], &data->fe[1]); } CHECK(j <= iters); } @@ -224,7 +214,7 @@ void bench_group_double_var(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_gej_double_var(&data->gej[0], &data->gej[0], NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&data->gej[0], &data->gej[0], NULL); } } @@ -233,7 +223,7 @@ void bench_group_add_var(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_gej_add_var(&data->gej[0], &data->gej[0], &data->gej[1], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&data->gej[0], &data->gej[0], &data->gej[1], NULL); } } @@ -242,7 +232,7 @@ void bench_group_add_affine(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_gej_add_ge(&data->gej[0], &data->gej[0], &data->ge[1]); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&data->gej[0], &data->gej[0], &data->ge[1]); } } @@ -251,28 +241,8 @@ void bench_group_add_affine_var(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&data->gej[0], &data->gej[0], &data->ge[1], NULL); - } -} - -void bench_group_jacobi_var(void* arg, int iters) { - int i, j = 0; - bench_inv *data = (bench_inv*)arg; - - for (i = 0; i < iters; i++) { - j += rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(&data->gej[0]); - /* Vary the Y and Z coordinates of the input (the X coordinate doesn't matter to - rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var). Note that the resulting coordinates will - generally not correspond to a point on the curve, but this is not a problem - for the code being benchmarked here. Adding and normalizing have less - overhead than EC operations (which could guarantee the point remains on the - curve). */ - rustsecp256k1zkp_v0_5_0_fe_add(&data->gej[0].y, &data->fe[1]); - rustsecp256k1zkp_v0_5_0_fe_add(&data->gej[0].z, &data->fe[2]); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&data->gej[0].y); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&data->gej[0].z); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&data->gej[0], &data->gej[0], &data->ge[1], NULL); } - CHECK(j <= iters); } void bench_group_to_affine_var(void* arg, int iters) { @@ -280,16 +250,18 @@ void bench_group_to_affine_var(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; ++i) { - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&data->ge[1], &data->gej[0]); + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&data->ge[1], &data->gej[0]); /* Use the output affine X/Y coordinates to vary the input X/Y/Z coordinates. - Similar to bench_group_jacobi_var, this approach does not result in - coordinates of points on the curve. */ - rustsecp256k1zkp_v0_5_0_fe_add(&data->gej[0].x, &data->ge[1].y); - rustsecp256k1zkp_v0_5_0_fe_add(&data->gej[0].y, &data->fe[2]); - rustsecp256k1zkp_v0_5_0_fe_add(&data->gej[0].z, &data->ge[1].x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&data->gej[0].x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&data->gej[0].y); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&data->gej[0].z); + Note that the resulting coordinates will generally not correspond to a point + on the curve, but this is not a problem for the code being benchmarked here. + Adding and normalizing have less overhead than EC operations (which could + guarantee the point remains on the curve). */ + rustsecp256k1zkp_v0_6_0_fe_add(&data->gej[0].x, &data->ge[1].y); + rustsecp256k1zkp_v0_6_0_fe_add(&data->gej[0].y, &data->fe[2]); + rustsecp256k1zkp_v0_6_0_fe_add(&data->gej[0].z, &data->ge[1].x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&data->gej[0].x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&data->gej[0].y); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&data->gej[0].z); } } @@ -298,8 +270,8 @@ void bench_ecmult_wnaf(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - bits += rustsecp256k1zkp_v0_5_0_ecmult_wnaf(data->wnaf, 256, &data->scalar[0], WINDOW_A); - overflow += rustsecp256k1zkp_v0_5_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); + bits += rustsecp256k1zkp_v0_6_0_ecmult_wnaf(data->wnaf, 256, &data->scalar[0], WINDOW_A); + overflow += rustsecp256k1zkp_v0_6_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); } CHECK(overflow >= 0); CHECK(bits <= 256*iters); @@ -310,8 +282,8 @@ void bench_wnaf_const(void* arg, int iters) { bench_inv *data = (bench_inv*)arg; for (i = 0; i < iters; i++) { - bits += rustsecp256k1zkp_v0_5_0_wnaf_const(data->wnaf, &data->scalar[0], WINDOW_A, 256); - overflow += rustsecp256k1zkp_v0_5_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); + bits += rustsecp256k1zkp_v0_6_0_wnaf_const(data->wnaf, &data->scalar[0], WINDOW_A, 256); + overflow += rustsecp256k1zkp_v0_6_0_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]); } CHECK(overflow >= 0); CHECK(bits <= 256*iters); @@ -321,35 +293,35 @@ void bench_wnaf_const(void* arg, int iters) { void bench_sha256(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, data->data, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, data->data); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, data->data, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, data->data); } } void bench_hmac_sha256(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - rustsecp256k1zkp_v0_5_0_hmac_sha256 hmac; + rustsecp256k1zkp_v0_6_0_hmac_sha256 hmac; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, data->data, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, data->data, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, data->data); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, data->data, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, data->data, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, data->data); } } void bench_rfc6979_hmac_sha256(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 rng; + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 rng; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, data->data, 64); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, data->data, 32); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, data->data, 64); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, data->data, 32); } } @@ -357,7 +329,7 @@ void bench_context_verify(void* arg, int iters) { int i; (void)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_context_destroy(rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY)); + rustsecp256k1zkp_v0_6_0_context_destroy(rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY)); } } @@ -365,39 +337,20 @@ void bench_context_sign(void* arg, int iters) { int i; (void)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_context_destroy(rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN)); + rustsecp256k1zkp_v0_6_0_context_destroy(rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN)); } } -#ifndef USE_NUM_NONE -void bench_num_jacobi(void* arg, int iters) { - int i, j = 0; - bench_inv *data = (bench_inv*)arg; - rustsecp256k1zkp_v0_5_0_num nx, na, norder; - - rustsecp256k1zkp_v0_5_0_scalar_get_num(&nx, &data->scalar[0]); - rustsecp256k1zkp_v0_5_0_scalar_order_get_num(&norder); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&na, &data->scalar[1]); - - for (i = 0; i < iters; i++) { - j += rustsecp256k1zkp_v0_5_0_num_jacobi(&nx, &norder); - rustsecp256k1zkp_v0_5_0_num_add(&nx, &nx, &na); - } - CHECK(j <= iters); -} -#endif - int main(int argc, char **argv) { bench_inv data; int iters = get_iters(20000); if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "add")) run_benchmark("scalar_add", bench_scalar_add, bench_setup, NULL, &data, 10, iters*100); if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "negate")) run_benchmark("scalar_negate", bench_scalar_negate, bench_setup, NULL, &data, 10, iters*100); - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "sqr")) run_benchmark("scalar_sqr", bench_scalar_sqr, bench_setup, NULL, &data, 10, iters*10); if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "mul")) run_benchmark("scalar_mul", bench_scalar_mul, bench_setup, NULL, &data, 10, iters*10); if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "split")) run_benchmark("scalar_split", bench_scalar_split, bench_setup, NULL, &data, 10, iters); - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse", bench_scalar_inverse, bench_setup, NULL, &data, 10, 2000); - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse_var", bench_scalar_inverse_var, bench_setup, NULL, &data, 10, 2000); + if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse", bench_scalar_inverse, bench_setup, NULL, &data, 10, iters); + if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse_var", bench_scalar_inverse_var, bench_setup, NULL, &data, 10, iters); if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize", bench_field_normalize, bench_setup, NULL, &data, 10, iters*100); if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize_weak", bench_field_normalize_weak, bench_setup, NULL, &data, 10, iters*100); @@ -411,7 +364,6 @@ int main(int argc, char **argv) { if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_var", bench_group_add_var, bench_setup, NULL, &data, 10, iters*10); if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine", bench_group_add_affine, bench_setup, NULL, &data, 10, iters*10); if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine_var", bench_group_add_affine_var, bench_setup, NULL, &data, 10, iters*10); - if (have_flag(argc, argv, "group") || have_flag(argc, argv, "jacobi")) run_benchmark("group_jacobi_var", bench_group_jacobi_var, bench_setup, NULL, &data, 10, iters); if (have_flag(argc, argv, "group") || have_flag(argc, argv, "to_affine")) run_benchmark("group_to_affine_var", bench_group_to_affine_var, bench_setup, NULL, &data, 10, iters); if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("wnaf_const", bench_wnaf_const, bench_setup, NULL, &data, 10, iters); @@ -424,8 +376,5 @@ int main(int argc, char **argv) { if (have_flag(argc, argv, "context") || have_flag(argc, argv, "verify")) run_benchmark("context_verify", bench_context_verify, bench_setup, NULL, &data, 10, 1 + iters/1000); if (have_flag(argc, argv, "context") || have_flag(argc, argv, "sign")) run_benchmark("context_sign", bench_context_sign, bench_setup, NULL, &data, 10, 1 + iters/100); -#ifndef USE_NUM_NONE - if (have_flag(argc, argv, "num") || have_flag(argc, argv, "jacobi")) run_benchmark("num_jacobi", bench_num_jacobi, bench_setup, NULL, &data, 10, iters*10); -#endif return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_rangeproof.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_rangeproof.c index aac10ee7..c58b3d94 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_rangeproof.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_rangeproof.c @@ -11,8 +11,8 @@ #include "bench.h" typedef struct { - rustsecp256k1zkp_v0_5_0_context* ctx; - rustsecp256k1zkp_v0_5_0_pedersen_commitment commit; + rustsecp256k1zkp_v0_6_0_context* ctx; + rustsecp256k1zkp_v0_6_0_pedersen_commitment commit; unsigned char proof[5134]; unsigned char blind[32]; size_t len; @@ -28,10 +28,10 @@ static void bench_rangeproof_setup(void* arg) { data->v = 0; for (i = 0; i < 32; i++) data->blind[i] = i + 1; - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(data->ctx, &data->commit, data->blind, data->v, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(data->ctx, &data->commit, data->blind, data->v, rustsecp256k1zkp_v0_6_0_generator_h)); data->len = 5134; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(data->ctx, data->proof, &data->len, 0, &data->commit, data->blind, (const unsigned char*)&data->commit, 0, data->min_bits, data->v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(data->ctx, &minv, &maxv, &data->commit, data->proof, data->len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(data->ctx, data->proof, &data->len, 0, &data->commit, data->blind, (const unsigned char*)&data->commit, 0, data->min_bits, data->v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(data->ctx, &minv, &maxv, &data->commit, data->proof, data->len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); } static void bench_rangeproof(void* arg, int iters) { @@ -42,7 +42,7 @@ static void bench_rangeproof(void* arg, int iters) { int j; uint64_t minv; uint64_t maxv; - j = rustsecp256k1zkp_v0_5_0_rangeproof_verify(data->ctx, &minv, &maxv, &data->commit, data->proof, data->len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h); + j = rustsecp256k1zkp_v0_6_0_rangeproof_verify(data->ctx, &minv, &maxv, &data->commit, data->proof, data->len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h); for (j = 0; j < 4; j++) { data->proof[j + 2 + 32 *((data->min_bits + 1) >> 1) - 4] = (i >> 8)&255; } @@ -53,13 +53,13 @@ int main(void) { bench_rangeproof_t data; int iters; - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); data.min_bits = 32; iters = data.min_bits*get_iters(32); run_benchmark("rangeproof_verify_bit", bench_rangeproof, bench_rangeproof_setup, NULL, &data, 10, iters); - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_recover.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_recover.c index a051fe9e..2d75c233 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_recover.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_recover.c @@ -4,13 +4,13 @@ * file COPYING or https://www.opensource.org/licenses/mit-license.php.* ***********************************************************************/ -#include "include/secp256k1.h" -#include "include/secp256k1_recovery.h" +#include "../include/secp256k1.h" +#include "../include/secp256k1_recovery.h" #include "util.h" #include "bench.h" typedef struct { - rustsecp256k1zkp_v0_5_0_context *ctx; + rustsecp256k1zkp_v0_6_0_context *ctx; unsigned char msg[32]; unsigned char sig[64]; } bench_recover_data; @@ -18,16 +18,16 @@ typedef struct { void bench_recover(void* arg, int iters) { int i; bench_recover_data *data = (bench_recover_data*)arg; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; unsigned char pubkeyc[33]; for (i = 0; i < iters; i++) { int j; size_t pubkeylen = 33; - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature sig; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(data->ctx, &sig, data->sig, i % 2)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(data->ctx, &pubkey, &sig, data->msg)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(data->ctx, pubkeyc, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED)); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature sig; + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(data->ctx, &sig, data->sig, i % 2)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(data->ctx, &pubkey, &sig, data->msg)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(data->ctx, pubkeyc, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED)); for (j = 0; j < 32; j++) { data->sig[j + 32] = data->msg[j]; /* Move former message to S. */ data->msg[j] = data->sig[j]; /* Move former R to message. */ @@ -53,10 +53,10 @@ int main(void) { int iters = get_iters(20000); - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); run_benchmark("ecdsa_recover", bench_recover, bench_recover_setup, NULL, &data, 10, iters); - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_schnorrsig.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_schnorrsig.c index d3ffed55..edc88ada 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_schnorrsig.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_schnorrsig.c @@ -8,16 +8,16 @@ #include -#include "include/secp256k1.h" -#include "include/secp256k1_schnorrsig.h" +#include "../include/secp256k1.h" +#include "../include/secp256k1_schnorrsig.h" #include "util.h" #include "bench.h" typedef struct { - rustsecp256k1zkp_v0_5_0_context *ctx; + rustsecp256k1zkp_v0_6_0_context *ctx; int n; - const rustsecp256k1zkp_v0_5_0_keypair **keypairs; + const rustsecp256k1zkp_v0_6_0_keypair **keypairs; const unsigned char **pk; const unsigned char **sigs; const unsigned char **msgs; @@ -32,7 +32,7 @@ void bench_schnorrsig_sign(void* arg, int iters) { for (i = 0; i < iters; i++) { msg[0] = i; msg[1] = i >> 8; - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(data->ctx, sig, msg, data->keypairs[i], NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(data->ctx, sig, msg, data->keypairs[i], NULL, NULL)); } } @@ -41,9 +41,9 @@ void bench_schnorrsig_verify(void* arg, int iters) { int i; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(data->ctx, &pk, data->pk[i]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(data->ctx, data->sigs[i], data->msgs[i], &pk)); + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk; + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(data->ctx, &pk, data->pk[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(data->ctx, data->sigs[i], data->msgs[i], &pk)); } } @@ -52,8 +52,8 @@ int main(void) { bench_schnorrsig_data data; int iters = get_iters(10000); - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN); - data.keypairs = (const rustsecp256k1zkp_v0_5_0_keypair **)malloc(iters * sizeof(rustsecp256k1zkp_v0_5_0_keypair *)); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN); + data.keypairs = (const rustsecp256k1zkp_v0_6_0_keypair **)malloc(iters * sizeof(rustsecp256k1zkp_v0_6_0_keypair *)); data.pk = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); data.msgs = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); data.sigs = (const unsigned char **)malloc(iters * sizeof(unsigned char *)); @@ -62,9 +62,9 @@ int main(void) { unsigned char sk[32]; unsigned char *msg = (unsigned char *)malloc(32); unsigned char *sig = (unsigned char *)malloc(64); - rustsecp256k1zkp_v0_5_0_keypair *keypair = (rustsecp256k1zkp_v0_5_0_keypair *)malloc(sizeof(*keypair)); + rustsecp256k1zkp_v0_6_0_keypair *keypair = (rustsecp256k1zkp_v0_6_0_keypair *)malloc(sizeof(*keypair)); unsigned char *pk_char = (unsigned char *)malloc(32); - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk; msg[0] = sk[0] = i; msg[1] = sk[1] = i >> 8; msg[2] = sk[2] = i >> 16; @@ -77,10 +77,10 @@ int main(void) { data.msgs[i] = msg; data.sigs[i] = sig; - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(data.ctx, keypair, sk)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(data.ctx, sig, msg, keypair, NULL, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(data.ctx, &pk, NULL, keypair)); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(data.ctx, pk_char, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(data.ctx, keypair, sk)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(data.ctx, sig, msg, keypair, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(data.ctx, &pk, NULL, keypair)); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(data.ctx, pk_char, &pk) == 1); } run_benchmark("schnorrsig_sign", bench_schnorrsig_sign, NULL, NULL, (void *) &data, 10, iters); @@ -97,6 +97,6 @@ int main(void) { free(data.msgs); free(data.sigs); - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_sign.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_sign.c index f1865484..b66446b3 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_sign.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_sign.c @@ -4,12 +4,12 @@ * file COPYING or https://www.opensource.org/licenses/mit-license.php.* ***********************************************************************/ -#include "include/secp256k1.h" +#include "../include/secp256k1.h" #include "util.h" #include "bench.h" typedef struct { - rustsecp256k1zkp_v0_5_0_context* ctx; + rustsecp256k1zkp_v0_6_0_context* ctx; unsigned char msg[32]; unsigned char key[32]; } bench_sign_data; @@ -34,9 +34,9 @@ static void bench_sign_run(void* arg, int iters) { for (i = 0; i < iters; i++) { size_t siglen = 74; int j; - rustsecp256k1zkp_v0_5_0_ecdsa_signature signature; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(data->ctx, &signature, data->msg, data->key, NULL, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(data->ctx, sig, &siglen, &signature)); + rustsecp256k1zkp_v0_6_0_ecdsa_signature signature; + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(data->ctx, &signature, data->msg, data->key, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(data->ctx, sig, &siglen, &signature)); for (j = 0; j < 32; j++) { data->msg[j] = sig[j]; data->key[j] = sig[j + 32]; @@ -49,10 +49,10 @@ int main(void) { int iters = get_iters(20000); - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); run_benchmark("ecdsa_sign", bench_sign_run, bench_sign_setup, NULL, &data, 10, iters); - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_verify.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_verify.c index 8cc632d3..9491ed01 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_verify.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_verify.c @@ -7,7 +7,7 @@ #include #include -#include "include/secp256k1.h" +#include "../include/secp256k1.h" #include "util.h" #include "bench.h" @@ -19,7 +19,7 @@ typedef struct { - rustsecp256k1zkp_v0_5_0_context *ctx; + rustsecp256k1zkp_v0_6_0_context *ctx; unsigned char msg[32]; unsigned char key[32]; unsigned char sig[72]; @@ -36,14 +36,14 @@ static void bench_verify(void* arg, int iters) { bench_verify_data* data = (bench_verify_data*)arg; for (i = 0; i < iters; i++) { - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; data->sig[data->siglen - 1] ^= (i & 0xFF); data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF); data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(data->ctx, &pubkey, data->pubkey, data->pubkeylen) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(data->ctx, &sig, data->sig, data->siglen) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(data->ctx, &sig, data->msg, &pubkey) == (i == 0)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(data->ctx, &pubkey, data->pubkey, data->pubkeylen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(data->ctx, &sig, data->sig, data->siglen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(data->ctx, &sig, data->msg, &pubkey) == (i == 0)); data->sig[data->siglen - 1] ^= (i & 0xFF); data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF); data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF); @@ -82,13 +82,13 @@ static void bench_verify_openssl(void* arg, int iters) { int main(void) { int i; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; bench_verify_data data; int iters = get_iters(20000); - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); for (i = 0; i < 32; i++) { data.msg[i] = 1 + i; @@ -97,11 +97,11 @@ int main(void) { data.key[i] = 33 + i; } data.siglen = 72; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(data.ctx, &sig, data.msg, data.key, NULL, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(data.ctx, data.sig, &data.siglen, &sig)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(data.ctx, &pubkey, data.key)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(data.ctx, &sig, data.msg, data.key, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(data.ctx, data.sig, &data.siglen, &sig)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(data.ctx, &pubkey, data.key)); data.pubkeylen = 33; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(data.ctx, data.pubkey, &data.pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(data.ctx, data.pubkey, &data.pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED) == 1); run_benchmark("ecdsa_verify", bench_verify, NULL, NULL, &data, 10, iters); #ifdef ENABLE_OPENSSL_TESTS @@ -110,6 +110,6 @@ int main(void) { EC_GROUP_free(data.ec_group); #endif - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/bench_whitelist.c b/secp256k1-zkp-sys/depend/secp256k1/src/bench_whitelist.c index d1607e8f..b5394ec9 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/bench_whitelist.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/bench_whitelist.c @@ -11,21 +11,20 @@ #include "util.h" #include "bench.h" #include "hash_impl.h" -#include "num_impl.h" #include "scalar_impl.h" #include "testrand_impl.h" #define MAX_N_KEYS 30 typedef struct { - rustsecp256k1zkp_v0_5_0_context* ctx; + rustsecp256k1zkp_v0_6_0_context* ctx; unsigned char online_seckey[MAX_N_KEYS][32]; unsigned char summed_seckey[MAX_N_KEYS][32]; - rustsecp256k1zkp_v0_5_0_pubkey online_pubkeys[MAX_N_KEYS]; - rustsecp256k1zkp_v0_5_0_pubkey offline_pubkeys[MAX_N_KEYS]; + rustsecp256k1zkp_v0_6_0_pubkey online_pubkeys[MAX_N_KEYS]; + rustsecp256k1zkp_v0_6_0_pubkey offline_pubkeys[MAX_N_KEYS]; unsigned char csub[32]; - rustsecp256k1zkp_v0_5_0_pubkey sub_pubkey; - rustsecp256k1zkp_v0_5_0_whitelist_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey sub_pubkey; + rustsecp256k1zkp_v0_6_0_whitelist_signature sig; size_t n_keys; } bench_data; @@ -33,14 +32,14 @@ static void bench_whitelist(void* arg, int iters) { bench_data* data = (bench_data*)arg; int i; for (i = 0; i < iters; i++) { - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_verify(data->ctx, &data->sig, data->online_pubkeys, data->offline_pubkeys, data->n_keys, &data->sub_pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_verify(data->ctx, &data->sig, data->online_pubkeys, data->offline_pubkeys, data->n_keys, &data->sub_pubkey) == 1); } } static void bench_whitelist_setup(void* arg) { bench_data* data = (bench_data*)arg; int i = 0; - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_sign(data->ctx, &data->sig, data->online_pubkeys, data->offline_pubkeys, data->n_keys, &data->sub_pubkey, data->online_seckey[i], data->summed_seckey[i], i, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_sign(data->ctx, &data->sig, data->online_pubkeys, data->offline_pubkeys, data->n_keys, &data->sub_pubkey, data->online_seckey[i], data->summed_seckey[i], i, NULL, NULL)); } static void run_test(bench_data* data, int iters) { @@ -49,13 +48,13 @@ static void run_test(bench_data* data, int iters) { run_benchmark(str, bench_whitelist, bench_whitelist_setup, NULL, data, 100, iters); } -void random_scalar_order(rustsecp256k1zkp_v0_5_0_scalar *num) { +void random_scalar_order(rustsecp256k1zkp_v0_6_0_scalar *num) { do { unsigned char b32[32]; int overflow = 0; - rustsecp256k1zkp_v0_5_0_testrand256(b32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(num, b32, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(num)) { + rustsecp256k1zkp_v0_6_0_testrand256(b32); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(num, b32, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(num)) { continue; } break; @@ -66,35 +65,35 @@ int main(void) { bench_data data; size_t i; size_t n_keys = 30; - rustsecp256k1zkp_v0_5_0_scalar ssub; + rustsecp256k1zkp_v0_6_0_scalar ssub; int iters = get_iters(5); - data.ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + data.ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); /* Start with subkey */ random_scalar_order(&ssub); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(data.csub, &ssub); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(data.ctx, data.csub) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(data.ctx, &data.sub_pubkey, data.csub) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(data.csub, &ssub); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(data.ctx, data.csub) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(data.ctx, &data.sub_pubkey, data.csub) == 1); /* Then offline and online whitelist keys */ for (i = 0; i < n_keys; i++) { - rustsecp256k1zkp_v0_5_0_scalar son, soff; + rustsecp256k1zkp_v0_6_0_scalar son, soff; /* Create two keys */ random_scalar_order(&son); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(data.online_seckey[i], &son); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(data.ctx, data.online_seckey[i]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(data.ctx, &data.online_pubkeys[i], data.online_seckey[i]) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(data.online_seckey[i], &son); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(data.ctx, data.online_seckey[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(data.ctx, &data.online_pubkeys[i], data.online_seckey[i]) == 1); random_scalar_order(&soff); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(data.summed_seckey[i], &soff); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(data.ctx, data.summed_seckey[i]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(data.ctx, &data.offline_pubkeys[i], data.summed_seckey[i]) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(data.summed_seckey[i], &soff); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(data.ctx, data.summed_seckey[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(data.ctx, &data.offline_pubkeys[i], data.summed_seckey[i]) == 1); /* Make summed_seckey correspond to the sum of offline_pubkey and sub_pubkey */ - rustsecp256k1zkp_v0_5_0_scalar_add(&soff, &soff, &ssub); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(data.summed_seckey[i], &soff); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(data.ctx, data.summed_seckey[i]) == 1); + rustsecp256k1zkp_v0_6_0_scalar_add(&soff, &soff, &ssub); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(data.summed_seckey[i], &soff); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(data.ctx, data.summed_seckey[i]) == 1); } /* Run test */ @@ -103,6 +102,6 @@ int main(void) { run_test(&data, iters); } - rustsecp256k1zkp_v0_5_0_context_destroy(data.ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(data.ctx); return(0); } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/eccommit.h b/secp256k1-zkp-sys/depend/secp256k1/src/eccommit.h index fa072735..94f2f9c9 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/eccommit.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/eccommit.h @@ -8,21 +8,21 @@ #define SECP256K1_ECCOMMIT_H /** Helper function to add a 32-byte value to a scalar */ -static int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_5_0_scalar *sec, const unsigned char *tweak); +static int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_6_0_scalar *sec, const unsigned char *tweak); /** Helper function to add a 32-byte value, times G, to an EC point */ -static int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_ge *p, const unsigned char *tweak); +static int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_ge *p, const unsigned char *tweak); /** Serializes elem as a 33 byte array. This is non-constant time with respect to * whether pubp is the point at infinity. Thus, you may need to declassify * pubp->infinity before calling this function. */ -static int rustsecp256k1zkp_v0_5_0_ec_commit_pubkey_serialize_const(rustsecp256k1zkp_v0_5_0_ge *pubp, unsigned char *buf33); +static int rustsecp256k1zkp_v0_6_0_ec_commit_pubkey_serialize_const(rustsecp256k1zkp_v0_6_0_ge *pubp, unsigned char *buf33); /** Compute an ec commitment tweak as hash(pubkey, data). */ -static int rustsecp256k1zkp_v0_5_0_ec_commit_tweak(unsigned char *tweak32, rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size); +static int rustsecp256k1zkp_v0_6_0_ec_commit_tweak(unsigned char *tweak32, rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size); /** Compute an ec commitment as pubkey + hash(pubkey, data)*G. */ -static int rustsecp256k1zkp_v0_5_0_ec_commit(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_ge* commitp, const rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size); +static int rustsecp256k1zkp_v0_6_0_ec_commit(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_ge* commitp, const rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size); /** Compute a secret key commitment as seckey + hash(pubkey, data). */ -static int rustsecp256k1zkp_v0_5_0_ec_commit_seckey(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ecmult_gen_ctx, rustsecp256k1zkp_v0_5_0_scalar* seckey, rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size); +static int rustsecp256k1zkp_v0_6_0_ec_commit_seckey(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ecmult_gen_ctx, rustsecp256k1zkp_v0_6_0_scalar* seckey, rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size); /** Verify an ec commitment as pubkey + hash(pubkey, data)*G ?= commitment. */ -static int rustsecp256k1zkp_v0_5_0_ec_commit_verify(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_5_0_ge* commitp, const rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size); +static int rustsecp256k1zkp_v0_6_0_ec_commit_verify(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_6_0_ge* commitp, const rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size); #endif /* SECP256K1_ECCOMMIT_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/eccommit_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/eccommit_impl.h index 1c2eda7e..76bbcdc5 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/eccommit_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/eccommit_impl.h @@ -10,64 +10,64 @@ #include "hash.h" /* from secp256k1.c */ -static int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_5_0_scalar *sec, const unsigned char *tweak); -static int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_ge *pubp, const unsigned char *tweak); +static int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_6_0_scalar *sec, const unsigned char *tweak); +static int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_ge *pubp, const unsigned char *tweak); -static int rustsecp256k1zkp_v0_5_0_ec_commit_pubkey_serialize_const(rustsecp256k1zkp_v0_5_0_ge *pubp, unsigned char *buf33) { - if (rustsecp256k1zkp_v0_5_0_ge_is_infinity(pubp)) { +static int rustsecp256k1zkp_v0_6_0_ec_commit_pubkey_serialize_const(rustsecp256k1zkp_v0_6_0_ge *pubp, unsigned char *buf33) { + if (rustsecp256k1zkp_v0_6_0_ge_is_infinity(pubp)) { return 0; } - rustsecp256k1zkp_v0_5_0_fe_normalize(&pubp->x); - rustsecp256k1zkp_v0_5_0_fe_normalize(&pubp->y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&buf33[1], &pubp->x); - buf33[0] = rustsecp256k1zkp_v0_5_0_fe_is_odd(&pubp->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN; + rustsecp256k1zkp_v0_6_0_fe_normalize(&pubp->x); + rustsecp256k1zkp_v0_6_0_fe_normalize(&pubp->y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&buf33[1], &pubp->x); + buf33[0] = rustsecp256k1zkp_v0_6_0_fe_is_odd(&pubp->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN; return 1; } /* Compute an ec commitment tweak as hash(pubp, data). */ -static int rustsecp256k1zkp_v0_5_0_ec_commit_tweak(unsigned char *tweak32, rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size) +static int rustsecp256k1zkp_v0_6_0_ec_commit_tweak(unsigned char *tweak32, rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size) { unsigned char rbuf[33]; - if (!rustsecp256k1zkp_v0_5_0_ec_commit_pubkey_serialize_const(pubp, rbuf)) { + if (!rustsecp256k1zkp_v0_6_0_ec_commit_pubkey_serialize_const(pubp, rbuf)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(sha, rbuf, sizeof(rbuf)); - rustsecp256k1zkp_v0_5_0_sha256_write(sha, data, data_size); - rustsecp256k1zkp_v0_5_0_sha256_finalize(sha, tweak32); + rustsecp256k1zkp_v0_6_0_sha256_write(sha, rbuf, sizeof(rbuf)); + rustsecp256k1zkp_v0_6_0_sha256_write(sha, data, data_size); + rustsecp256k1zkp_v0_6_0_sha256_finalize(sha, tweak32); return 1; } /* Compute an ec commitment as pubp + hash(pubp, data)*G. */ -static int rustsecp256k1zkp_v0_5_0_ec_commit(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_ge* commitp, const rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size) { +static int rustsecp256k1zkp_v0_6_0_ec_commit(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_ge* commitp, const rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size) { unsigned char tweak[32]; *commitp = *pubp; - return rustsecp256k1zkp_v0_5_0_ec_commit_tweak(tweak, commitp, sha, data, data_size) - && rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(ecmult_ctx, commitp, tweak); + return rustsecp256k1zkp_v0_6_0_ec_commit_tweak(tweak, commitp, sha, data, data_size) + && rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(ecmult_ctx, commitp, tweak); } /* Compute the seckey of an ec commitment from the original secret key of the pubkey as seckey + * hash(pubp, data). */ -static int rustsecp256k1zkp_v0_5_0_ec_commit_seckey(rustsecp256k1zkp_v0_5_0_scalar* seckey, rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size) { +static int rustsecp256k1zkp_v0_6_0_ec_commit_seckey(rustsecp256k1zkp_v0_6_0_scalar* seckey, rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size) { unsigned char tweak[32]; - return rustsecp256k1zkp_v0_5_0_ec_commit_tweak(tweak, pubp, sha, data, data_size) - && rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(seckey, tweak); + return rustsecp256k1zkp_v0_6_0_ec_commit_tweak(tweak, pubp, sha, data, data_size) + && rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(seckey, tweak); } /* Verify an ec commitment as pubp + hash(pubp, data)*G ?= commitment. */ -static int rustsecp256k1zkp_v0_5_0_ec_commit_verify(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_5_0_ge* commitp, const rustsecp256k1zkp_v0_5_0_ge* pubp, rustsecp256k1zkp_v0_5_0_sha256* sha, const unsigned char *data, size_t data_size) { - rustsecp256k1zkp_v0_5_0_gej pj; - rustsecp256k1zkp_v0_5_0_ge p; +static int rustsecp256k1zkp_v0_6_0_ec_commit_verify(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_6_0_ge* commitp, const rustsecp256k1zkp_v0_6_0_ge* pubp, rustsecp256k1zkp_v0_6_0_sha256* sha, const unsigned char *data, size_t data_size) { + rustsecp256k1zkp_v0_6_0_gej pj; + rustsecp256k1zkp_v0_6_0_ge p; - if (!rustsecp256k1zkp_v0_5_0_ec_commit(ecmult_ctx, &p, pubp, sha, data, data_size)) { + if (!rustsecp256k1zkp_v0_6_0_ec_commit(ecmult_ctx, &p, pubp, sha, data, data_size)) { return 0; } /* Return p == commitp */ - rustsecp256k1zkp_v0_5_0_ge_neg(&p, &p); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pj, &p); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&pj, &pj, commitp, NULL); - return rustsecp256k1zkp_v0_5_0_gej_is_infinity(&pj); + rustsecp256k1zkp_v0_6_0_ge_neg(&p, &p); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pj, &p); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&pj, &pj, commitp, NULL); + return rustsecp256k1zkp_v0_6_0_gej_is_infinity(&pj); } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa.h index 34f58db3..7c51beeb 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa.h @@ -13,9 +13,9 @@ #include "group.h" #include "ecmult.h" -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_parse(rustsecp256k1zkp_v0_5_0_scalar *r, rustsecp256k1zkp_v0_5_0_scalar *s, const unsigned char *sig, size_t size); -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *s); -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, const rustsecp256k1zkp_v0_5_0_scalar* r, const rustsecp256k1zkp_v0_5_0_scalar* s, const rustsecp256k1zkp_v0_5_0_ge *pubkey, const rustsecp256k1zkp_v0_5_0_scalar *message); -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx, rustsecp256k1zkp_v0_5_0_scalar* r, rustsecp256k1zkp_v0_5_0_scalar* s, const rustsecp256k1zkp_v0_5_0_scalar *seckey, const rustsecp256k1zkp_v0_5_0_scalar *message, const rustsecp256k1zkp_v0_5_0_scalar *nonce, int *recid); +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_parse(rustsecp256k1zkp_v0_6_0_scalar *r, rustsecp256k1zkp_v0_6_0_scalar *s, const unsigned char *sig, size_t size); +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *s); +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, const rustsecp256k1zkp_v0_6_0_scalar* r, const rustsecp256k1zkp_v0_6_0_scalar* s, const rustsecp256k1zkp_v0_6_0_ge *pubkey, const rustsecp256k1zkp_v0_6_0_scalar *message); +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx, rustsecp256k1zkp_v0_6_0_scalar* r, rustsecp256k1zkp_v0_6_0_scalar* s, const rustsecp256k1zkp_v0_6_0_scalar *seckey, const rustsecp256k1zkp_v0_6_0_scalar *message, const rustsecp256k1zkp_v0_6_0_scalar *nonce, int *recid); #endif /* SECP256K1_ECDSA_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa_impl.h index 9b363f09..16aad47c 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecdsa_impl.h @@ -28,7 +28,7 @@ * sage: '%x' % (EllipticCurve ([F (a), F (b)]).order()) * 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141' */ -static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_ecdsa_const_order_as_fe = SECP256K1_FE_CONST( +static const rustsecp256k1zkp_v0_6_0_fe rustsecp256k1zkp_v0_6_0_ecdsa_const_order_as_fe = SECP256K1_FE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL ); @@ -42,11 +42,11 @@ static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_ecdsa_const_orde * sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order()) * '14551231950b75fc4402da1722fc9baee' */ -static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_ecdsa_const_p_minus_order = SECP256K1_FE_CONST( +static const rustsecp256k1zkp_v0_6_0_fe rustsecp256k1zkp_v0_6_0_ecdsa_const_p_minus_order = SECP256K1_FE_CONST( 0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL ); -static int rustsecp256k1zkp_v0_5_0_der_read_len(size_t *len, const unsigned char **sigp, const unsigned char *sigend) { +static int rustsecp256k1zkp_v0_6_0_der_read_len(size_t *len, const unsigned char **sigp, const unsigned char *sigend) { size_t lenleft; unsigned char b1; VERIFY_CHECK(len != NULL); @@ -99,7 +99,7 @@ static int rustsecp256k1zkp_v0_5_0_der_read_len(size_t *len, const unsigned char return 1; } -static int rustsecp256k1zkp_v0_5_0_der_parse_integer(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char **sig, const unsigned char *sigend) { +static int rustsecp256k1zkp_v0_6_0_der_parse_integer(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char **sig, const unsigned char *sigend) { int overflow = 0; unsigned char ra[32] = {0}; size_t rlen; @@ -109,7 +109,7 @@ static int rustsecp256k1zkp_v0_5_0_der_parse_integer(rustsecp256k1zkp_v0_5_0_sca return 0; } (*sig)++; - if (rustsecp256k1zkp_v0_5_0_der_read_len(&rlen, sig, sigend) == 0) { + if (rustsecp256k1zkp_v0_6_0_der_read_len(&rlen, sig, sigend) == 0) { return 0; } if (rlen == 0 || *sig + rlen > sigend) { @@ -141,23 +141,23 @@ static int rustsecp256k1zkp_v0_5_0_der_parse_integer(rustsecp256k1zkp_v0_5_0_sca } if (!overflow) { memcpy(ra + 32 - rlen, *sig, rlen); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, ra, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(r, ra, &overflow); } if (overflow) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(r, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(r, 0); } (*sig) += rlen; return 1; } -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_parse(rustsecp256k1zkp_v0_5_0_scalar *rr, rustsecp256k1zkp_v0_5_0_scalar *rs, const unsigned char *sig, size_t size) { +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_parse(rustsecp256k1zkp_v0_6_0_scalar *rr, rustsecp256k1zkp_v0_6_0_scalar *rs, const unsigned char *sig, size_t size) { const unsigned char *sigend = sig + size; size_t rlen; if (sig == sigend || *(sig++) != 0x30) { /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */ return 0; } - if (rustsecp256k1zkp_v0_5_0_der_read_len(&rlen, &sig, sigend) == 0) { + if (rustsecp256k1zkp_v0_6_0_der_read_len(&rlen, &sig, sigend) == 0) { return 0; } if (rlen != (size_t)(sigend - sig)) { @@ -165,10 +165,10 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_parse(rustsecp256k1zkp_v0_5_0_scala return 0; } - if (!rustsecp256k1zkp_v0_5_0_der_parse_integer(rr, &sig, sigend)) { + if (!rustsecp256k1zkp_v0_6_0_der_parse_integer(rr, &sig, sigend)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_der_parse_integer(rs, &sig, sigend)) { + if (!rustsecp256k1zkp_v0_6_0_der_parse_integer(rs, &sig, sigend)) { return 0; } @@ -180,12 +180,12 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_parse(rustsecp256k1zkp_v0_5_0_scala return 1; } -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1zkp_v0_5_0_scalar* ar, const rustsecp256k1zkp_v0_5_0_scalar* as) { +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1zkp_v0_6_0_scalar* ar, const rustsecp256k1zkp_v0_6_0_scalar* as) { unsigned char r[33] = {0}, s[33] = {0}; unsigned char *rp = r, *sp = s; size_t lenR = 33, lenS = 33; - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&r[1], ar); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&s[1], as); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&r[1], ar); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&s[1], as); while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; } while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; } if (*size < 6+lenS+lenR) { @@ -204,42 +204,42 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_serialize(unsigned char *sig, size_ return 1; } -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, const rustsecp256k1zkp_v0_5_0_scalar *sigr, const rustsecp256k1zkp_v0_5_0_scalar *sigs, const rustsecp256k1zkp_v0_5_0_ge *pubkey, const rustsecp256k1zkp_v0_5_0_scalar *message) { +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, const rustsecp256k1zkp_v0_6_0_scalar *sigr, const rustsecp256k1zkp_v0_6_0_scalar *sigs, const rustsecp256k1zkp_v0_6_0_ge *pubkey, const rustsecp256k1zkp_v0_6_0_scalar *message) { unsigned char c[32]; - rustsecp256k1zkp_v0_5_0_scalar sn, u1, u2; + rustsecp256k1zkp_v0_6_0_scalar sn, u1, u2; #if !defined(EXHAUSTIVE_TEST_ORDER) - rustsecp256k1zkp_v0_5_0_fe xr; + rustsecp256k1zkp_v0_6_0_fe xr; #endif - rustsecp256k1zkp_v0_5_0_gej pubkeyj; - rustsecp256k1zkp_v0_5_0_gej pr; + rustsecp256k1zkp_v0_6_0_gej pubkeyj; + rustsecp256k1zkp_v0_6_0_gej pr; - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(sigr) || rustsecp256k1zkp_v0_5_0_scalar_is_zero(sigs)) { + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(sigr) || rustsecp256k1zkp_v0_6_0_scalar_is_zero(sigs)) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_inverse_var(&sn, sigs); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u1, &sn, message); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u2, &sn, sigr); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pubkeyj, pubkey); - rustsecp256k1zkp_v0_5_0_ecmult(ctx, &pr, &pubkeyj, &u2, &u1); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&pr)) { + rustsecp256k1zkp_v0_6_0_scalar_inverse_var(&sn, sigs); + rustsecp256k1zkp_v0_6_0_scalar_mul(&u1, &sn, message); + rustsecp256k1zkp_v0_6_0_scalar_mul(&u2, &sn, sigr); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pubkeyj, pubkey); + rustsecp256k1zkp_v0_6_0_ecmult(ctx, &pr, &pubkeyj, &u2, &u1); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&pr)) { return 0; } #if defined(EXHAUSTIVE_TEST_ORDER) { - rustsecp256k1zkp_v0_5_0_scalar computed_r; - rustsecp256k1zkp_v0_5_0_ge pr_ge; - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pr_ge, &pr); - rustsecp256k1zkp_v0_5_0_fe_normalize(&pr_ge.x); + rustsecp256k1zkp_v0_6_0_scalar computed_r; + rustsecp256k1zkp_v0_6_0_ge pr_ge; + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pr_ge, &pr); + rustsecp256k1zkp_v0_6_0_fe_normalize(&pr_ge.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(c, &pr_ge.x); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&computed_r, c, NULL); - return rustsecp256k1zkp_v0_5_0_scalar_eq(sigr, &computed_r); + rustsecp256k1zkp_v0_6_0_fe_get_b32(c, &pr_ge.x); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&computed_r, c, NULL); + return rustsecp256k1zkp_v0_6_0_scalar_eq(sigr, &computed_r); } #else - rustsecp256k1zkp_v0_5_0_scalar_get_b32(c, sigr); - rustsecp256k1zkp_v0_5_0_fe_set_b32(&xr, c); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(c, sigr); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&xr, c); /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n) * in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p), @@ -255,18 +255,18 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(const rustsecp256k1zkp_v0_5_ * <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x) * * Thus, we can avoid the inversion, but we have to check both cases separately. - * rustsecp256k1zkp_v0_5_0_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test. + * rustsecp256k1zkp_v0_6_0_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test. */ - if (rustsecp256k1zkp_v0_5_0_gej_eq_x_var(&xr, &pr)) { + if (rustsecp256k1zkp_v0_6_0_gej_eq_x_var(&xr, &pr)) { /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */ return 1; } - if (rustsecp256k1zkp_v0_5_0_fe_cmp_var(&xr, &rustsecp256k1zkp_v0_5_0_ecdsa_const_p_minus_order) >= 0) { + if (rustsecp256k1zkp_v0_6_0_fe_cmp_var(&xr, &rustsecp256k1zkp_v0_6_0_ecdsa_const_p_minus_order) >= 0) { /* xr + n >= p, so we can skip testing the second case. */ return 0; } - rustsecp256k1zkp_v0_5_0_fe_add(&xr, &rustsecp256k1zkp_v0_5_0_ecdsa_const_order_as_fe); - if (rustsecp256k1zkp_v0_5_0_gej_eq_x_var(&xr, &pr)) { + rustsecp256k1zkp_v0_6_0_fe_add(&xr, &rustsecp256k1zkp_v0_6_0_ecdsa_const_order_as_fe); + if (rustsecp256k1zkp_v0_6_0_gej_eq_x_var(&xr, &pr)) { /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */ return 1; } @@ -274,42 +274,42 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(const rustsecp256k1zkp_v0_5_ #endif } -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx, rustsecp256k1zkp_v0_5_0_scalar *sigr, rustsecp256k1zkp_v0_5_0_scalar *sigs, const rustsecp256k1zkp_v0_5_0_scalar *seckey, const rustsecp256k1zkp_v0_5_0_scalar *message, const rustsecp256k1zkp_v0_5_0_scalar *nonce, int *recid) { +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx, rustsecp256k1zkp_v0_6_0_scalar *sigr, rustsecp256k1zkp_v0_6_0_scalar *sigs, const rustsecp256k1zkp_v0_6_0_scalar *seckey, const rustsecp256k1zkp_v0_6_0_scalar *message, const rustsecp256k1zkp_v0_6_0_scalar *nonce, int *recid) { unsigned char b[32]; - rustsecp256k1zkp_v0_5_0_gej rp; - rustsecp256k1zkp_v0_5_0_ge r; - rustsecp256k1zkp_v0_5_0_scalar n; + rustsecp256k1zkp_v0_6_0_gej rp; + rustsecp256k1zkp_v0_6_0_ge r; + rustsecp256k1zkp_v0_6_0_scalar n; int overflow = 0; int high; - rustsecp256k1zkp_v0_5_0_ecmult_gen(ctx, &rp, nonce); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&r, &rp); - rustsecp256k1zkp_v0_5_0_fe_normalize(&r.x); - rustsecp256k1zkp_v0_5_0_fe_normalize(&r.y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(b, &r.x); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(sigr, b, &overflow); + rustsecp256k1zkp_v0_6_0_ecmult_gen(ctx, &rp, nonce); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&r, &rp); + rustsecp256k1zkp_v0_6_0_fe_normalize(&r.x); + rustsecp256k1zkp_v0_6_0_fe_normalize(&r.y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(b, &r.x); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(sigr, b, &overflow); if (recid) { /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. */ - *recid = (overflow << 1) | rustsecp256k1zkp_v0_5_0_fe_is_odd(&r.y); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(&n, sigr, seckey); - rustsecp256k1zkp_v0_5_0_scalar_add(&n, &n, message); - rustsecp256k1zkp_v0_5_0_scalar_inverse(sigs, nonce); - rustsecp256k1zkp_v0_5_0_scalar_mul(sigs, sigs, &n); - rustsecp256k1zkp_v0_5_0_scalar_clear(&n); - rustsecp256k1zkp_v0_5_0_gej_clear(&rp); - rustsecp256k1zkp_v0_5_0_ge_clear(&r); - high = rustsecp256k1zkp_v0_5_0_scalar_is_high(sigs); - rustsecp256k1zkp_v0_5_0_scalar_cond_negate(sigs, high); + *recid = (overflow << 1) | rustsecp256k1zkp_v0_6_0_fe_is_odd(&r.y); + } + rustsecp256k1zkp_v0_6_0_scalar_mul(&n, sigr, seckey); + rustsecp256k1zkp_v0_6_0_scalar_add(&n, &n, message); + rustsecp256k1zkp_v0_6_0_scalar_inverse(sigs, nonce); + rustsecp256k1zkp_v0_6_0_scalar_mul(sigs, sigs, &n); + rustsecp256k1zkp_v0_6_0_scalar_clear(&n); + rustsecp256k1zkp_v0_6_0_gej_clear(&rp); + rustsecp256k1zkp_v0_6_0_ge_clear(&r); + high = rustsecp256k1zkp_v0_6_0_scalar_is_high(sigs); + rustsecp256k1zkp_v0_6_0_scalar_cond_negate(sigs, high); if (recid) { *recid ^= high; } /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature. * This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N. */ - return !rustsecp256k1zkp_v0_5_0_scalar_is_zero(sigr) & !rustsecp256k1zkp_v0_5_0_scalar_is_zero(sigs); + return !rustsecp256k1zkp_v0_6_0_scalar_is_zero(sigr) & !rustsecp256k1zkp_v0_6_0_scalar_is_zero(sigs); } #endif /* SECP256K1_ECDSA_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/eckey.h b/secp256k1-zkp-sys/depend/secp256k1/src/eckey.h index 4a55b3d5..904d9a9a 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/eckey.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/eckey.h @@ -14,12 +14,12 @@ #include "ecmult.h" #include "ecmult_gen.h" -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(rustsecp256k1zkp_v0_5_0_ge *elem, const unsigned char *pub, size_t size); -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(rustsecp256k1zkp_v0_5_0_ge *elem, unsigned char *pub, size_t *size, int compressed); +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(rustsecp256k1zkp_v0_6_0_ge *elem, const unsigned char *pub, size_t size); +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(rustsecp256k1zkp_v0_6_0_ge *elem, unsigned char *pub, size_t *size, int compressed); -static int rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_add(rustsecp256k1zkp_v0_5_0_scalar *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak); -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_add(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_ge *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak); -static int rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_mul(rustsecp256k1zkp_v0_5_0_scalar *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak); -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_ge *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak); +static int rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_add(rustsecp256k1zkp_v0_6_0_scalar *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak); +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_add(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_ge *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak); +static int rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_mul(rustsecp256k1zkp_v0_6_0_scalar *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak); +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_mul(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_ge *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak); #endif /* SECP256K1_ECKEY_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/eckey_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/eckey_impl.h index f4e04317..06954136 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/eckey_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/eckey_impl.h @@ -14,82 +14,82 @@ #include "group.h" #include "ecmult_gen.h" -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(rustsecp256k1zkp_v0_5_0_ge *elem, const unsigned char *pub, size_t size) { +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(rustsecp256k1zkp_v0_6_0_ge *elem, const unsigned char *pub, size_t size) { if (size == 33 && (pub[0] == SECP256K1_TAG_PUBKEY_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_ODD)) { - rustsecp256k1zkp_v0_5_0_fe x; - return rustsecp256k1zkp_v0_5_0_fe_set_b32(&x, pub+1) && rustsecp256k1zkp_v0_5_0_ge_set_xo_var(elem, &x, pub[0] == SECP256K1_TAG_PUBKEY_ODD); + rustsecp256k1zkp_v0_6_0_fe x; + return rustsecp256k1zkp_v0_6_0_fe_set_b32(&x, pub+1) && rustsecp256k1zkp_v0_6_0_ge_set_xo_var(elem, &x, pub[0] == SECP256K1_TAG_PUBKEY_ODD); } else if (size == 65 && (pub[0] == SECP256K1_TAG_PUBKEY_UNCOMPRESSED || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) { - rustsecp256k1zkp_v0_5_0_fe x, y; - if (!rustsecp256k1zkp_v0_5_0_fe_set_b32(&x, pub+1) || !rustsecp256k1zkp_v0_5_0_fe_set_b32(&y, pub+33)) { + rustsecp256k1zkp_v0_6_0_fe x, y; + if (!rustsecp256k1zkp_v0_6_0_fe_set_b32(&x, pub+1) || !rustsecp256k1zkp_v0_6_0_fe_set_b32(&y, pub+33)) { return 0; } - rustsecp256k1zkp_v0_5_0_ge_set_xy(elem, &x, &y); + rustsecp256k1zkp_v0_6_0_ge_set_xy(elem, &x, &y); if ((pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD) && - rustsecp256k1zkp_v0_5_0_fe_is_odd(&y) != (pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) { + rustsecp256k1zkp_v0_6_0_fe_is_odd(&y) != (pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) { return 0; } - return rustsecp256k1zkp_v0_5_0_ge_is_valid_var(elem); + return rustsecp256k1zkp_v0_6_0_ge_is_valid_var(elem); } else { return 0; } } -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(rustsecp256k1zkp_v0_5_0_ge *elem, unsigned char *pub, size_t *size, int compressed) { - if (rustsecp256k1zkp_v0_5_0_ge_is_infinity(elem)) { +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(rustsecp256k1zkp_v0_6_0_ge *elem, unsigned char *pub, size_t *size, int compressed) { + if (rustsecp256k1zkp_v0_6_0_ge_is_infinity(elem)) { return 0; } - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&elem->x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&elem->y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&pub[1], &elem->x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&elem->x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&elem->y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&pub[1], &elem->x); if (compressed) { *size = 33; - pub[0] = rustsecp256k1zkp_v0_5_0_fe_is_odd(&elem->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN; + pub[0] = rustsecp256k1zkp_v0_6_0_fe_is_odd(&elem->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN; } else { *size = 65; pub[0] = SECP256K1_TAG_PUBKEY_UNCOMPRESSED; - rustsecp256k1zkp_v0_5_0_fe_get_b32(&pub[33], &elem->y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&pub[33], &elem->y); } return 1; } -static int rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_add(rustsecp256k1zkp_v0_5_0_scalar *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak) { - rustsecp256k1zkp_v0_5_0_scalar_add(key, key, tweak); - return !rustsecp256k1zkp_v0_5_0_scalar_is_zero(key); +static int rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_add(rustsecp256k1zkp_v0_6_0_scalar *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak) { + rustsecp256k1zkp_v0_6_0_scalar_add(key, key, tweak); + return !rustsecp256k1zkp_v0_6_0_scalar_is_zero(key); } -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_add(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_ge *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak) { - rustsecp256k1zkp_v0_5_0_gej pt; - rustsecp256k1zkp_v0_5_0_scalar one; - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pt, key); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&one, 1); - rustsecp256k1zkp_v0_5_0_ecmult(ctx, &pt, &pt, &one, tweak); +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_add(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_ge *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak) { + rustsecp256k1zkp_v0_6_0_gej pt; + rustsecp256k1zkp_v0_6_0_scalar one; + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pt, key); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&one, 1); + rustsecp256k1zkp_v0_6_0_ecmult(ctx, &pt, &pt, &one, tweak); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&pt)) { + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&pt)) { return 0; } - rustsecp256k1zkp_v0_5_0_ge_set_gej(key, &pt); + rustsecp256k1zkp_v0_6_0_ge_set_gej(key, &pt); return 1; } -static int rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_mul(rustsecp256k1zkp_v0_5_0_scalar *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak) { +static int rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_mul(rustsecp256k1zkp_v0_6_0_scalar *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak) { int ret; - ret = !rustsecp256k1zkp_v0_5_0_scalar_is_zero(tweak); + ret = !rustsecp256k1zkp_v0_6_0_scalar_is_zero(tweak); - rustsecp256k1zkp_v0_5_0_scalar_mul(key, key, tweak); + rustsecp256k1zkp_v0_6_0_scalar_mul(key, key, tweak); return ret; } -static int rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_ge *key, const rustsecp256k1zkp_v0_5_0_scalar *tweak) { - rustsecp256k1zkp_v0_5_0_scalar zero; - rustsecp256k1zkp_v0_5_0_gej pt; - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(tweak)) { +static int rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_mul(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_ge *key, const rustsecp256k1zkp_v0_6_0_scalar *tweak) { + rustsecp256k1zkp_v0_6_0_scalar zero; + rustsecp256k1zkp_v0_6_0_gej pt; + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(tweak)) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_set_int(&zero, 0); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pt, key); - rustsecp256k1zkp_v0_5_0_ecmult(ctx, &pt, &pt, tweak, &zero); - rustsecp256k1zkp_v0_5_0_ge_set_gej(key, &pt); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&zero, 0); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pt, key); + rustsecp256k1zkp_v0_6_0_ecmult(ctx, &pt, &pt, tweak, &zero); + rustsecp256k1zkp_v0_6_0_ge_set_gej(key, &pt); return 1; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult.h index 96da6104..6b8c2b02 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult.h @@ -7,28 +7,27 @@ #ifndef SECP256K1_ECMULT_H #define SECP256K1_ECMULT_H -#include "num.h" #include "group.h" #include "scalar.h" #include "scratch.h" typedef struct { /* For accelerating the computation of a*P + b*G: */ - rustsecp256k1zkp_v0_5_0_ge_storage (*pre_g)[]; /* odd multiples of the generator */ - rustsecp256k1zkp_v0_5_0_ge_storage (*pre_g_128)[]; /* odd multiples of 2^128*generator */ -} rustsecp256k1zkp_v0_5_0_ecmult_context; + rustsecp256k1zkp_v0_6_0_ge_storage (*pre_g)[]; /* odd multiples of the generator */ + rustsecp256k1zkp_v0_6_0_ge_storage (*pre_g_128)[]; /* odd multiples of 2^128*generator */ +} rustsecp256k1zkp_v0_6_0_ecmult_context; static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; -static void rustsecp256k1zkp_v0_5_0_ecmult_context_init(rustsecp256k1zkp_v0_5_0_ecmult_context *ctx); -static void rustsecp256k1zkp_v0_5_0_ecmult_context_build(rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, void **prealloc); -static void rustsecp256k1zkp_v0_5_0_ecmult_context_finalize_memcpy(rustsecp256k1zkp_v0_5_0_ecmult_context *dst, const rustsecp256k1zkp_v0_5_0_ecmult_context *src); -static void rustsecp256k1zkp_v0_5_0_ecmult_context_clear(rustsecp256k1zkp_v0_5_0_ecmult_context *ctx); -static int rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx); +static void rustsecp256k1zkp_v0_6_0_ecmult_context_init(rustsecp256k1zkp_v0_6_0_ecmult_context *ctx); +static void rustsecp256k1zkp_v0_6_0_ecmult_context_build(rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, void **prealloc); +static void rustsecp256k1zkp_v0_6_0_ecmult_context_finalize_memcpy(rustsecp256k1zkp_v0_6_0_ecmult_context *dst, const rustsecp256k1zkp_v0_6_0_ecmult_context *src); +static void rustsecp256k1zkp_v0_6_0_ecmult_context_clear(rustsecp256k1zkp_v0_6_0_ecmult_context *ctx); +static int rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx); /** Double multiply: R = na*A + ng*G */ -static void rustsecp256k1zkp_v0_5_0_ecmult(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_scalar *na, const rustsecp256k1zkp_v0_5_0_scalar *ng); +static void rustsecp256k1zkp_v0_6_0_ecmult(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_scalar *na, const rustsecp256k1zkp_v0_6_0_scalar *ng); -typedef int (rustsecp256k1zkp_v0_5_0_ecmult_multi_callback)(rustsecp256k1zkp_v0_5_0_scalar *sc, rustsecp256k1zkp_v0_5_0_ge *pt, size_t idx, void *data); +typedef int (rustsecp256k1zkp_v0_6_0_ecmult_multi_callback)(rustsecp256k1zkp_v0_6_0_scalar *sc, rustsecp256k1zkp_v0_6_0_ge *pt, size_t idx, void *data); /** * Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai. @@ -41,6 +40,6 @@ typedef int (rustsecp256k1zkp_v0_5_0_ecmult_multi_callback)(rustsecp256k1zkp_v0_ * 0 if there is not enough scratch space for a single point or * callback returns 0 */ -static int rustsecp256k1zkp_v0_5_0_ecmult_multi_var(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void *cbdata, size_t n); +static int rustsecp256k1zkp_v0_6_0_ecmult_multi_var(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_scratch *scratch, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void *cbdata, size_t n); #endif /* SECP256K1_ECMULT_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const.h index ac538fbe..b1688ef7 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const.h @@ -15,6 +15,6 @@ * Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus * one because we internally sometimes add 2 to the number during the WNAF conversion. */ -static void rustsecp256k1zkp_v0_5_0_ecmult_const(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_ge *a, const rustsecp256k1zkp_v0_5_0_scalar *q, int bits); +static void rustsecp256k1zkp_v0_6_0_ecmult_const(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_ge *a, const rustsecp256k1zkp_v0_6_0_scalar *q, int bits); #endif /* SECP256K1_ECMULT_CONST_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const_impl.h index 25444be3..0b52a3f9 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_const_impl.h @@ -19,12 +19,12 @@ int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \ int abs_n = ((n) + mask) ^ mask; \ int idx_n = abs_n >> 1; \ - rustsecp256k1zkp_v0_5_0_fe neg_y; \ + rustsecp256k1zkp_v0_6_0_fe neg_y; \ VERIFY_CHECK(((n) & 1) == 1); \ VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ - VERIFY_SETUP(rustsecp256k1zkp_v0_5_0_fe_clear(&(r)->x)); \ - VERIFY_SETUP(rustsecp256k1zkp_v0_5_0_fe_clear(&(r)->y)); \ + VERIFY_SETUP(rustsecp256k1zkp_v0_6_0_fe_clear(&(r)->x)); \ + VERIFY_SETUP(rustsecp256k1zkp_v0_6_0_fe_clear(&(r)->y)); \ /* Unconditionally set r->x = (pre)[m].x. r->y = (pre)[m].y. because it's either the correct one \ * or will get replaced in the later iterations, this is needed to make sure `r` is initialized. */ \ (r)->x = (pre)[m].x; \ @@ -32,12 +32,12 @@ for (m = 1; m < ECMULT_TABLE_SIZE(w); m++) { \ /* This loop is used to avoid secret data in array indices. See * the comment in ecmult_gen_impl.h for rationale. */ \ - rustsecp256k1zkp_v0_5_0_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \ - rustsecp256k1zkp_v0_5_0_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \ + rustsecp256k1zkp_v0_6_0_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \ + rustsecp256k1zkp_v0_6_0_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \ } \ (r)->infinity = 0; \ - rustsecp256k1zkp_v0_5_0_fe_negate(&neg_y, &(r)->y, 1); \ - rustsecp256k1zkp_v0_5_0_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \ + rustsecp256k1zkp_v0_6_0_fe_negate(&neg_y, &(r)->y, 1); \ + rustsecp256k1zkp_v0_6_0_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \ } while(0) @@ -54,7 +54,7 @@ * * Numbers reference steps of `Algorithm SPA-resistant Width-w NAF with Odd Scalar` on pp. 335 */ -static int rustsecp256k1zkp_v0_5_0_wnaf_const(int *wnaf, const rustsecp256k1zkp_v0_5_0_scalar *scalar, int w, int size) { +static int rustsecp256k1zkp_v0_6_0_wnaf_const(int *wnaf, const rustsecp256k1zkp_v0_6_0_scalar *scalar, int w, int size) { int global_sign; int skew = 0; int word = 0; @@ -65,7 +65,7 @@ static int rustsecp256k1zkp_v0_5_0_wnaf_const(int *wnaf, const rustsecp256k1zkp_ int flip; int bit; - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar s; int not_neg_one; VERIFY_CHECK(w > 0); @@ -83,32 +83,32 @@ static int rustsecp256k1zkp_v0_5_0_wnaf_const(int *wnaf, const rustsecp256k1zkp_ * particular, to ensure that the outputs from the endomorphism-split fit into * 128 bits). If we negate, the parity of our number flips, inverting which of * {1, 2} we want to add to the scalar when ensuring that it's odd. Further - * complicating things, -1 interacts badly with `rustsecp256k1zkp_v0_5_0_scalar_cadd_bit` and + * complicating things, -1 interacts badly with `rustsecp256k1zkp_v0_6_0_scalar_cadd_bit` and * we need to special-case it in this logic. */ - flip = rustsecp256k1zkp_v0_5_0_scalar_is_high(scalar); + flip = rustsecp256k1zkp_v0_6_0_scalar_is_high(scalar); /* We add 1 to even numbers, 2 to odd ones, noting that negation flips parity */ - bit = flip ^ !rustsecp256k1zkp_v0_5_0_scalar_is_even(scalar); + bit = flip ^ !rustsecp256k1zkp_v0_6_0_scalar_is_even(scalar); /* We check for negative one, since adding 2 to it will cause an overflow */ - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, scalar); - not_neg_one = !rustsecp256k1zkp_v0_5_0_scalar_is_one(&s); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, scalar); + not_neg_one = !rustsecp256k1zkp_v0_6_0_scalar_is_one(&s); s = *scalar; - rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(&s, bit, not_neg_one); + rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(&s, bit, not_neg_one); /* If we had negative one, flip == 1, s.d[0] == 0, bit == 1, so caller expects * that we added two to it and flipped it. In fact for -1 these operations are * identical. We only flipped, but since skewing is required (in the sense that * the skew must be 1 or 2, never zero) and flipping is not, we need to change * our flags to claim that we only skewed. */ - global_sign = rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&s, flip); + global_sign = rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&s, flip); global_sign *= not_neg_one * 2 - 1; skew = 1 << bit; /* 4 */ - u_last = rustsecp256k1zkp_v0_5_0_scalar_shr_int(&s, w); + u_last = rustsecp256k1zkp_v0_6_0_scalar_shr_int(&s, w); do { int even; /* 4.1 4.4 */ - u = rustsecp256k1zkp_v0_5_0_scalar_shr_int(&s, w); + u = rustsecp256k1zkp_v0_6_0_scalar_shr_int(&s, w); /* 4.2 */ even = ((u & 1) == 0); /* In contrast to the original algorithm, u_last is always > 0 and @@ -129,21 +129,21 @@ static int rustsecp256k1zkp_v0_5_0_wnaf_const(int *wnaf, const rustsecp256k1zkp_ } while (word * w < size); wnaf[word] = u * global_sign; - VERIFY_CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s)); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s)); VERIFY_CHECK(word == WNAF_SIZE_BITS(size, w)); return skew; } -static void rustsecp256k1zkp_v0_5_0_ecmult_const(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_ge *a, const rustsecp256k1zkp_v0_5_0_scalar *scalar, int size) { - rustsecp256k1zkp_v0_5_0_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1zkp_v0_5_0_ge tmpa; - rustsecp256k1zkp_v0_5_0_fe Z; +static void rustsecp256k1zkp_v0_6_0_ecmult_const(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_ge *a, const rustsecp256k1zkp_v0_6_0_scalar *scalar, int size) { + rustsecp256k1zkp_v0_6_0_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1zkp_v0_6_0_ge tmpa; + rustsecp256k1zkp_v0_6_0_fe Z; int skew_1; - rustsecp256k1zkp_v0_5_0_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1zkp_v0_6_0_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; int wnaf_lam[1 + WNAF_SIZE(WINDOW_A - 1)]; int skew_lam; - rustsecp256k1zkp_v0_5_0_scalar q_1, q_lam; + rustsecp256k1zkp_v0_6_0_scalar q_1, q_lam; int wnaf_1[1 + WNAF_SIZE(WINDOW_A - 1)]; int i; @@ -153,12 +153,12 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_const(rustsecp256k1zkp_v0_5_0_gej *r, if (size > 128) { rsize = 128; /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */ - rustsecp256k1zkp_v0_5_0_scalar_split_lambda(&q_1, &q_lam, scalar); - skew_1 = rustsecp256k1zkp_v0_5_0_wnaf_const(wnaf_1, &q_1, WINDOW_A - 1, 128); - skew_lam = rustsecp256k1zkp_v0_5_0_wnaf_const(wnaf_lam, &q_lam, WINDOW_A - 1, 128); + rustsecp256k1zkp_v0_6_0_scalar_split_lambda(&q_1, &q_lam, scalar); + skew_1 = rustsecp256k1zkp_v0_6_0_wnaf_const(wnaf_1, &q_1, WINDOW_A - 1, 128); + skew_lam = rustsecp256k1zkp_v0_6_0_wnaf_const(wnaf_lam, &q_lam, WINDOW_A - 1, 128); } else { - skew_1 = rustsecp256k1zkp_v0_5_0_wnaf_const(wnaf_1, scalar, WINDOW_A - 1, size); + skew_1 = rustsecp256k1zkp_v0_6_0_wnaf_const(wnaf_1, scalar, WINDOW_A - 1, size); skew_lam = 0; } @@ -168,14 +168,14 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_const(rustsecp256k1zkp_v0_5_0_gej *r, * that the Z coordinate was 1, use affine addition formulae, and correct * the Z coordinate of the result once at the end. */ - rustsecp256k1zkp_v0_5_0_gej_set_ge(r, a); - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r); + rustsecp256k1zkp_v0_6_0_gej_set_ge(r, a); + rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r); for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&pre_a[i].y); + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&pre_a[i].y); } if (size > 128) { for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { - rustsecp256k1zkp_v0_5_0_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]); + rustsecp256k1zkp_v0_6_0_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]); } } @@ -186,67 +186,67 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_const(rustsecp256k1zkp_v0_5_0_gej *r, i = wnaf_1[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; VERIFY_CHECK(i != 0); ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, i, WINDOW_A); - rustsecp256k1zkp_v0_5_0_gej_set_ge(r, &tmpa); + rustsecp256k1zkp_v0_6_0_gej_set_ge(r, &tmpa); if (size > 128) { i = wnaf_lam[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; VERIFY_CHECK(i != 0); ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, i, WINDOW_A); - rustsecp256k1zkp_v0_5_0_gej_add_ge(r, r, &tmpa); + rustsecp256k1zkp_v0_6_0_gej_add_ge(r, r, &tmpa); } /* remaining loop iterations */ for (i = WNAF_SIZE_BITS(rsize, WINDOW_A - 1) - 1; i >= 0; i--) { int n; int j; for (j = 0; j < WINDOW_A - 1; ++j) { - rustsecp256k1zkp_v0_5_0_gej_double(r, r); + rustsecp256k1zkp_v0_6_0_gej_double(r, r); } n = wnaf_1[i]; ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, n, WINDOW_A); VERIFY_CHECK(n != 0); - rustsecp256k1zkp_v0_5_0_gej_add_ge(r, r, &tmpa); + rustsecp256k1zkp_v0_6_0_gej_add_ge(r, r, &tmpa); if (size > 128) { n = wnaf_lam[i]; ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, n, WINDOW_A); VERIFY_CHECK(n != 0); - rustsecp256k1zkp_v0_5_0_gej_add_ge(r, r, &tmpa); + rustsecp256k1zkp_v0_6_0_gej_add_ge(r, r, &tmpa); } } - rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &r->z, &Z); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &r->z, &Z); { /* Correct for wNAF skew */ - rustsecp256k1zkp_v0_5_0_ge correction = *a; - rustsecp256k1zkp_v0_5_0_ge_storage correction_1_stor; - rustsecp256k1zkp_v0_5_0_ge_storage correction_lam_stor; - rustsecp256k1zkp_v0_5_0_ge_storage a2_stor; - rustsecp256k1zkp_v0_5_0_gej tmpj; - rustsecp256k1zkp_v0_5_0_gej_set_ge(&tmpj, &correction); - rustsecp256k1zkp_v0_5_0_gej_double_var(&tmpj, &tmpj, NULL); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&correction, &tmpj); - rustsecp256k1zkp_v0_5_0_ge_to_storage(&correction_1_stor, a); + rustsecp256k1zkp_v0_6_0_ge correction = *a; + rustsecp256k1zkp_v0_6_0_ge_storage correction_1_stor; + rustsecp256k1zkp_v0_6_0_ge_storage correction_lam_stor; + rustsecp256k1zkp_v0_6_0_ge_storage a2_stor; + rustsecp256k1zkp_v0_6_0_gej tmpj; + rustsecp256k1zkp_v0_6_0_gej_set_ge(&tmpj, &correction); + rustsecp256k1zkp_v0_6_0_gej_double_var(&tmpj, &tmpj, NULL); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&correction, &tmpj); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&correction_1_stor, a); if (size > 128) { - rustsecp256k1zkp_v0_5_0_ge_to_storage(&correction_lam_stor, a); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&correction_lam_stor, a); } - rustsecp256k1zkp_v0_5_0_ge_to_storage(&a2_stor, &correction); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&a2_stor, &correction); /* For odd numbers this is 2a (so replace it), for even ones a (so no-op) */ - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&correction_1_stor, &a2_stor, skew_1 == 2); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&correction_1_stor, &a2_stor, skew_1 == 2); if (size > 128) { - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&correction_lam_stor, &a2_stor, skew_lam == 2); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&correction_lam_stor, &a2_stor, skew_lam == 2); } /* Apply the correction */ - rustsecp256k1zkp_v0_5_0_ge_from_storage(&correction, &correction_1_stor); - rustsecp256k1zkp_v0_5_0_ge_neg(&correction, &correction); - rustsecp256k1zkp_v0_5_0_gej_add_ge(r, r, &correction); + rustsecp256k1zkp_v0_6_0_ge_from_storage(&correction, &correction_1_stor); + rustsecp256k1zkp_v0_6_0_ge_neg(&correction, &correction); + rustsecp256k1zkp_v0_6_0_gej_add_ge(r, r, &correction); if (size > 128) { - rustsecp256k1zkp_v0_5_0_ge_from_storage(&correction, &correction_lam_stor); - rustsecp256k1zkp_v0_5_0_ge_neg(&correction, &correction); - rustsecp256k1zkp_v0_5_0_ge_mul_lambda(&correction, &correction); - rustsecp256k1zkp_v0_5_0_gej_add_ge(r, r, &correction); + rustsecp256k1zkp_v0_6_0_ge_from_storage(&correction, &correction_lam_stor); + rustsecp256k1zkp_v0_6_0_ge_neg(&correction, &correction); + rustsecp256k1zkp_v0_6_0_ge_mul_lambda(&correction, &correction); + rustsecp256k1zkp_v0_6_0_gej_add_ge(r, r, &correction); } } } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen.h index 89719776..0ca2867d 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen.h @@ -30,21 +30,21 @@ typedef struct { * None of the resulting prec group elements have a known scalar, and neither do any of * the intermediate sums while computing a*G. */ - rustsecp256k1zkp_v0_5_0_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */ - rustsecp256k1zkp_v0_5_0_scalar blind; - rustsecp256k1zkp_v0_5_0_gej initial; -} rustsecp256k1zkp_v0_5_0_ecmult_gen_context; + rustsecp256k1zkp_v0_6_0_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */ + rustsecp256k1zkp_v0_6_0_scalar blind; + rustsecp256k1zkp_v0_6_0_gej initial; +} rustsecp256k1zkp_v0_6_0_ecmult_gen_context; static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_init(rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ctx); -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_build(rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ctx, void **prealloc); -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_finalize_memcpy(rustsecp256k1zkp_v0_5_0_ecmult_gen_context *dst, const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* src); -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_clear(rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ctx); -static int rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ctx); +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_init(rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ctx); +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_build(rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ctx, void **prealloc); +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_finalize_memcpy(rustsecp256k1zkp_v0_6_0_ecmult_gen_context *dst, const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* src); +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_clear(rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ctx); +static int rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ctx); /** Multiply with the generator: R = a*G */ -static void rustsecp256k1zkp_v0_5_0_ecmult_gen(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ctx, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *a); +static void rustsecp256k1zkp_v0_6_0_ecmult_gen(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ctx, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *a); -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx, const unsigned char *seed32); +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx, const unsigned char *seed32); #endif /* SECP256K1_ECMULT_GEN_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen_impl.h index aa0ca762..b10d351d 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_gen_impl.h @@ -17,20 +17,20 @@ #endif #ifndef USE_ECMULT_STATIC_PRECOMPUTATION - static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = ROUND_TO_ALIGN(sizeof(*((rustsecp256k1zkp_v0_5_0_ecmult_gen_context*) NULL)->prec)); + static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = ROUND_TO_ALIGN(sizeof(*((rustsecp256k1zkp_v0_6_0_ecmult_gen_context*) NULL)->prec)); #else static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = 0; #endif -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_init(rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx) { +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_init(rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx) { ctx->prec = NULL; } -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_build(rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx, void **prealloc) { +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_build(rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx, void **prealloc) { #ifndef USE_ECMULT_STATIC_PRECOMPUTATION - rustsecp256k1zkp_v0_5_0_ge prec[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; - rustsecp256k1zkp_v0_5_0_gej gj; - rustsecp256k1zkp_v0_5_0_gej nums_gej; + rustsecp256k1zkp_v0_6_0_ge prec[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; + rustsecp256k1zkp_v0_6_0_gej gj; + rustsecp256k1zkp_v0_6_0_gej nums_gej; int i, j; size_t const prealloc_size = SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; void* const base = *prealloc; @@ -40,101 +40,101 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_build(rustsecp256k1zkp_v0 return; } #ifndef USE_ECMULT_STATIC_PRECOMPUTATION - ctx->prec = (rustsecp256k1zkp_v0_5_0_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])manual_alloc(prealloc, prealloc_size, base, prealloc_size); + ctx->prec = (rustsecp256k1zkp_v0_6_0_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])manual_alloc(prealloc, prealloc_size, base, prealloc_size); /* get the generator */ - rustsecp256k1zkp_v0_5_0_gej_set_ge(&gj, &rustsecp256k1zkp_v0_5_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&gj, &rustsecp256k1zkp_v0_6_0_ge_const_g); /* Construct a group element with no known corresponding scalar (nothing up my sleeve). */ { static const unsigned char nums_b32[33] = "The scalar for this x is unknown"; - rustsecp256k1zkp_v0_5_0_fe nums_x; - rustsecp256k1zkp_v0_5_0_ge nums_ge; + rustsecp256k1zkp_v0_6_0_fe nums_x; + rustsecp256k1zkp_v0_6_0_ge nums_ge; int r; - r = rustsecp256k1zkp_v0_5_0_fe_set_b32(&nums_x, nums_b32); + r = rustsecp256k1zkp_v0_6_0_fe_set_b32(&nums_x, nums_b32); (void)r; VERIFY_CHECK(r); - r = rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&nums_ge, &nums_x, 0); + r = rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&nums_ge, &nums_x, 0); (void)r; VERIFY_CHECK(r); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&nums_gej, &nums_ge); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&nums_gej, &nums_ge); /* Add G to make the bits in x uniformly distributed. */ - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&nums_gej, &nums_gej, &rustsecp256k1zkp_v0_5_0_ge_const_g, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&nums_gej, &nums_gej, &rustsecp256k1zkp_v0_6_0_ge_const_g, NULL); } /* compute prec. */ { - rustsecp256k1zkp_v0_5_0_gej precj[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; /* Jacobian versions of prec. */ - rustsecp256k1zkp_v0_5_0_gej gbase; - rustsecp256k1zkp_v0_5_0_gej numsbase; + rustsecp256k1zkp_v0_6_0_gej precj[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; /* Jacobian versions of prec. */ + rustsecp256k1zkp_v0_6_0_gej gbase; + rustsecp256k1zkp_v0_6_0_gej numsbase; gbase = gj; /* PREC_G^j * G */ numsbase = nums_gej; /* 2^j * nums. */ for (j = 0; j < ECMULT_GEN_PREC_N; j++) { /* Set precj[j*PREC_G .. j*PREC_G+(PREC_G-1)] to (numsbase, numsbase + gbase, ..., numsbase + (PREC_G-1)*gbase). */ precj[j*ECMULT_GEN_PREC_G] = numsbase; for (i = 1; i < ECMULT_GEN_PREC_G; i++) { - rustsecp256k1zkp_v0_5_0_gej_add_var(&precj[j*ECMULT_GEN_PREC_G + i], &precj[j*ECMULT_GEN_PREC_G + i - 1], &gbase, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&precj[j*ECMULT_GEN_PREC_G + i], &precj[j*ECMULT_GEN_PREC_G + i - 1], &gbase, NULL); } /* Multiply gbase by PREC_G. */ for (i = 0; i < ECMULT_GEN_PREC_B; i++) { - rustsecp256k1zkp_v0_5_0_gej_double_var(&gbase, &gbase, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&gbase, &gbase, NULL); } /* Multiply numbase by 2. */ - rustsecp256k1zkp_v0_5_0_gej_double_var(&numsbase, &numsbase, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&numsbase, &numsbase, NULL); if (j == ECMULT_GEN_PREC_N - 2) { /* In the last iteration, numsbase is (1 - 2^j) * nums instead. */ - rustsecp256k1zkp_v0_5_0_gej_neg(&numsbase, &numsbase); - rustsecp256k1zkp_v0_5_0_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL); + rustsecp256k1zkp_v0_6_0_gej_neg(&numsbase, &numsbase); + rustsecp256k1zkp_v0_6_0_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL); } } - rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(prec, precj, ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G); + rustsecp256k1zkp_v0_6_0_ge_set_all_gej_var(prec, precj, ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G); } for (j = 0; j < ECMULT_GEN_PREC_N; j++) { for (i = 0; i < ECMULT_GEN_PREC_G; i++) { - rustsecp256k1zkp_v0_5_0_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*ECMULT_GEN_PREC_G + i]); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*ECMULT_GEN_PREC_G + i]); } } #else (void)prealloc; - ctx->prec = (rustsecp256k1zkp_v0_5_0_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])rustsecp256k1zkp_v0_5_0_ecmult_static_context; + ctx->prec = (rustsecp256k1zkp_v0_6_0_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])rustsecp256k1zkp_v0_6_0_ecmult_static_context; #endif - rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(ctx, NULL); + rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(ctx, NULL); } -static int rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ctx) { +static int rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ctx) { return ctx->prec != NULL; } -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_finalize_memcpy(rustsecp256k1zkp_v0_5_0_ecmult_gen_context *dst, const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *src) { +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_finalize_memcpy(rustsecp256k1zkp_v0_6_0_ecmult_gen_context *dst, const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *src) { #ifndef USE_ECMULT_STATIC_PRECOMPUTATION if (src->prec != NULL) { /* We cast to void* first to suppress a -Wcast-align warning. */ - dst->prec = (rustsecp256k1zkp_v0_5_0_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src)); + dst->prec = (rustsecp256k1zkp_v0_6_0_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src)); } #else (void)dst, (void)src; #endif } -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_context_clear(rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&ctx->blind); - rustsecp256k1zkp_v0_5_0_gej_clear(&ctx->initial); +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_context_clear(rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx) { + rustsecp256k1zkp_v0_6_0_scalar_clear(&ctx->blind); + rustsecp256k1zkp_v0_6_0_gej_clear(&ctx->initial); ctx->prec = NULL; } -static void rustsecp256k1zkp_v0_5_0_ecmult_gen(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *gn) { - rustsecp256k1zkp_v0_5_0_ge add; - rustsecp256k1zkp_v0_5_0_ge_storage adds; - rustsecp256k1zkp_v0_5_0_scalar gnb; +static void rustsecp256k1zkp_v0_6_0_ecmult_gen(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *gn) { + rustsecp256k1zkp_v0_6_0_ge add; + rustsecp256k1zkp_v0_6_0_ge_storage adds; + rustsecp256k1zkp_v0_6_0_scalar gnb; int bits; int i, j; memset(&adds, 0, sizeof(adds)); *r = ctx->initial; /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */ - rustsecp256k1zkp_v0_5_0_scalar_add(&gnb, gn, &ctx->blind); + rustsecp256k1zkp_v0_6_0_scalar_add(&gnb, gn, &ctx->blind); add.infinity = 0; for (j = 0; j < ECMULT_GEN_PREC_N; j++) { - bits = rustsecp256k1zkp_v0_5_0_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B); + bits = rustsecp256k1zkp_v0_6_0_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B); for (i = 0; i < ECMULT_GEN_PREC_G; i++) { /** This uses a conditional move to avoid any secret data in array indexes. * _Any_ use of secret indexes has been demonstrated to result in timing @@ -146,33 +146,33 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_gen(const rustsecp256k1zkp_v0_5_0_ecm * by Dag Arne Osvik, Adi Shamir, and Eran Tromer * (https://www.tau.ac.il/~tromer/papers/cache.pdf) */ - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits); } - rustsecp256k1zkp_v0_5_0_ge_from_storage(&add, &adds); - rustsecp256k1zkp_v0_5_0_gej_add_ge(r, r, &add); + rustsecp256k1zkp_v0_6_0_ge_from_storage(&add, &adds); + rustsecp256k1zkp_v0_6_0_gej_add_ge(r, r, &add); } bits = 0; - rustsecp256k1zkp_v0_5_0_ge_clear(&add); - rustsecp256k1zkp_v0_5_0_scalar_clear(&gnb); + rustsecp256k1zkp_v0_6_0_ge_clear(&add); + rustsecp256k1zkp_v0_6_0_scalar_clear(&gnb); } -/* Setup blinding values for rustsecp256k1zkp_v0_5_0_ecmult_gen. */ -static void rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ctx, const unsigned char *seed32) { - rustsecp256k1zkp_v0_5_0_scalar b; - rustsecp256k1zkp_v0_5_0_gej gb; - rustsecp256k1zkp_v0_5_0_fe s; +/* Setup blinding values for rustsecp256k1zkp_v0_6_0_ecmult_gen. */ +static void rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ctx, const unsigned char *seed32) { + rustsecp256k1zkp_v0_6_0_scalar b; + rustsecp256k1zkp_v0_6_0_gej gb; + rustsecp256k1zkp_v0_6_0_fe s; unsigned char nonce32[32]; - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 rng; + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 rng; int overflow; unsigned char keydata[64] = {0}; if (seed32 == NULL) { /* When seed is NULL, reset the initial point and blinding value. */ - rustsecp256k1zkp_v0_5_0_gej_set_ge(&ctx->initial, &rustsecp256k1zkp_v0_5_0_ge_const_g); - rustsecp256k1zkp_v0_5_0_gej_neg(&ctx->initial, &ctx->initial); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ctx->blind, 1); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&ctx->initial, &rustsecp256k1zkp_v0_6_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_gej_neg(&ctx->initial, &ctx->initial); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ctx->blind, 1); } /* The prior blinding value (if not reset) is chained forward by including it in the hash. */ - rustsecp256k1zkp_v0_5_0_scalar_get_b32(nonce32, &ctx->blind); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(nonce32, &ctx->blind); /** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data, * and guards against weak or adversarial seeds. This is a simpler and safer interface than * asking the caller for blinding values directly and expecting them to retry on failure. @@ -181,28 +181,28 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(rustsecp256k1zkp_v0_5_0_ecm if (seed32 != NULL) { memcpy(keydata + 32, seed32, 32); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32); memset(keydata, 0, sizeof(keydata)); /* Accept unobservably small non-uniformity. */ - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); - overflow = !rustsecp256k1zkp_v0_5_0_fe_set_b32(&s, nonce32); - overflow |= rustsecp256k1zkp_v0_5_0_fe_is_zero(&s); - rustsecp256k1zkp_v0_5_0_fe_cmov(&s, &rustsecp256k1zkp_v0_5_0_fe_one, overflow); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + overflow = !rustsecp256k1zkp_v0_6_0_fe_set_b32(&s, nonce32); + overflow |= rustsecp256k1zkp_v0_6_0_fe_is_zero(&s); + rustsecp256k1zkp_v0_6_0_fe_cmov(&s, &rustsecp256k1zkp_v0_6_0_fe_one, overflow); /* Randomize the projection to defend against multiplier sidechannels. */ - rustsecp256k1zkp_v0_5_0_gej_rescale(&ctx->initial, &s); - rustsecp256k1zkp_v0_5_0_fe_clear(&s); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&b, nonce32, NULL); + rustsecp256k1zkp_v0_6_0_gej_rescale(&ctx->initial, &s); + rustsecp256k1zkp_v0_6_0_fe_clear(&s); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&b, nonce32, NULL); /* A blinding value of 0 works, but would undermine the projection hardening. */ - rustsecp256k1zkp_v0_5_0_scalar_cmov(&b, &rustsecp256k1zkp_v0_5_0_scalar_one, rustsecp256k1zkp_v0_5_0_scalar_is_zero(&b)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&b, &rustsecp256k1zkp_v0_6_0_scalar_one, rustsecp256k1zkp_v0_6_0_scalar_is_zero(&b)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(&rng); memset(nonce32, 0, 32); - rustsecp256k1zkp_v0_5_0_ecmult_gen(ctx, &gb, &b); - rustsecp256k1zkp_v0_5_0_scalar_negate(&b, &b); + rustsecp256k1zkp_v0_6_0_ecmult_gen(ctx, &gb, &b); + rustsecp256k1zkp_v0_6_0_scalar_negate(&b, &b); ctx->blind = b; ctx->initial = gb; - rustsecp256k1zkp_v0_5_0_scalar_clear(&b); - rustsecp256k1zkp_v0_5_0_gej_clear(&gb); + rustsecp256k1zkp_v0_6_0_scalar_clear(&b); + rustsecp256k1zkp_v0_6_0_gej_clear(&gb); } #endif /* SECP256K1_ECMULT_GEN_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_impl.h index 2aa4f7f1..24378ca1 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/ecmult_impl.h @@ -35,8 +35,8 @@ /** Larger values for ECMULT_WINDOW_SIZE result in possibly better * performance at the cost of an exponentially larger precomputed * table. The exact table size is - * (1 << (WINDOW_G - 2)) * sizeof(rustsecp256k1zkp_v0_5_0_ge_storage) bytes, - * where sizeof(rustsecp256k1zkp_v0_5_0_ge_storage) is typically 64 bytes but can + * (1 << (WINDOW_G - 2)) * sizeof(rustsecp256k1zkp_v0_6_0_ge_storage) bytes, + * where sizeof(rustsecp256k1zkp_v0_6_0_ge_storage) is typically 64 bytes but can * be larger due to platform-specific padding and alignment. * Two tables of this size are used (due to the endomorphism * optimization). @@ -82,14 +82,14 @@ * contain prej[0].z / a.z. The other zr[i] values = prej[i].z / prej[i-1].z. * Prej's Z values are undefined, except for the last value. */ -static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table(int n, rustsecp256k1zkp_v0_5_0_gej *prej, rustsecp256k1zkp_v0_5_0_fe *zr, const rustsecp256k1zkp_v0_5_0_gej *a) { - rustsecp256k1zkp_v0_5_0_gej d; - rustsecp256k1zkp_v0_5_0_ge a_ge, d_ge; +static void rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table(int n, rustsecp256k1zkp_v0_6_0_gej *prej, rustsecp256k1zkp_v0_6_0_fe *zr, const rustsecp256k1zkp_v0_6_0_gej *a) { + rustsecp256k1zkp_v0_6_0_gej d; + rustsecp256k1zkp_v0_6_0_ge a_ge, d_ge; int i; VERIFY_CHECK(!a->infinity); - rustsecp256k1zkp_v0_5_0_gej_double_var(&d, a, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&d, a, NULL); /* * Perform the additions on an isomorphism where 'd' is affine: drop the z coordinate @@ -99,7 +99,7 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table(int n, rustsecp25 d_ge.y = d.y; d_ge.infinity = 0; - rustsecp256k1zkp_v0_5_0_ge_set_gej_zinv(&a_ge, a, &d.z); + rustsecp256k1zkp_v0_6_0_ge_set_gej_zinv(&a_ge, a, &d.z); prej[0].x = a_ge.x; prej[0].y = a_ge.y; prej[0].z = a->z; @@ -107,24 +107,24 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table(int n, rustsecp25 zr[0] = d.z; for (i = 1; i < n; i++) { - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&prej[i], &prej[i-1], &d_ge, &zr[i]); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&prej[i], &prej[i-1], &d_ge, &zr[i]); } /* * Each point in 'prej' has a z coordinate too small by a factor of 'd.z'. Only * the final point's z coordinate is actually used though, so just update that. */ - rustsecp256k1zkp_v0_5_0_fe_mul(&prej[n-1].z, &prej[n-1].z, &d.z); + rustsecp256k1zkp_v0_6_0_fe_mul(&prej[n-1].z, &prej[n-1].z, &d.z); } /** Fill a table 'pre' with precomputed odd multiples of a. * * There are two versions of this function: - * - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_globalz_windowa which brings its + * - rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table_globalz_windowa which brings its * resulting point set to a single constant Z denominator, stores the X and Y * coordinates as ge_storage points in pre, and stores the global Z in rz. * It only operates on tables sized for WINDOW_A wnaf multiples. - * - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var, which converts its + * - rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table_storage_var, which converts its * resulting point set to actually affine points, and stores those in pre. * It operates on tables of any size. * @@ -132,32 +132,32 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table(int n, rustsecp25 * and for G using the second (which requires an inverse, but it only needs to * happen once). */ -static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_globalz_windowa(rustsecp256k1zkp_v0_5_0_ge *pre, rustsecp256k1zkp_v0_5_0_fe *globalz, const rustsecp256k1zkp_v0_5_0_gej *a) { - rustsecp256k1zkp_v0_5_0_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1zkp_v0_5_0_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; +static void rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table_globalz_windowa(rustsecp256k1zkp_v0_6_0_ge *pre, rustsecp256k1zkp_v0_6_0_fe *globalz, const rustsecp256k1zkp_v0_6_0_gej *a) { + rustsecp256k1zkp_v0_6_0_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1zkp_v0_6_0_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; /* Compute the odd multiples in Jacobian form. */ - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), prej, zr, a); + rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), prej, zr, a); /* Bring them to the same Z denominator. */ - rustsecp256k1zkp_v0_5_0_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A), pre, globalz, prej, zr); + rustsecp256k1zkp_v0_6_0_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A), pre, globalz, prej, zr); } -static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(const int n, rustsecp256k1zkp_v0_5_0_ge_storage *pre, const rustsecp256k1zkp_v0_5_0_gej *a) { - rustsecp256k1zkp_v0_5_0_gej d; - rustsecp256k1zkp_v0_5_0_ge d_ge, p_ge; - rustsecp256k1zkp_v0_5_0_gej pj; - rustsecp256k1zkp_v0_5_0_fe zi; - rustsecp256k1zkp_v0_5_0_fe zr; - rustsecp256k1zkp_v0_5_0_fe dx_over_dz_squared; +static void rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table_storage_var(const int n, rustsecp256k1zkp_v0_6_0_ge_storage *pre, const rustsecp256k1zkp_v0_6_0_gej *a) { + rustsecp256k1zkp_v0_6_0_gej d; + rustsecp256k1zkp_v0_6_0_ge d_ge, p_ge; + rustsecp256k1zkp_v0_6_0_gej pj; + rustsecp256k1zkp_v0_6_0_fe zi; + rustsecp256k1zkp_v0_6_0_fe zr; + rustsecp256k1zkp_v0_6_0_fe dx_over_dz_squared; int i; VERIFY_CHECK(!a->infinity); - rustsecp256k1zkp_v0_5_0_gej_double_var(&d, a, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&d, a, NULL); /* First, we perform all the additions in an isomorphic curve obtained by multiplying * all `z` coordinates by 1/`d.z`. In these coordinates `d` is affine so we can use - * `rustsecp256k1zkp_v0_5_0_gej_add_ge_var` to perform the additions. For each addition, we store + * `rustsecp256k1zkp_v0_6_0_gej_add_ge_var` to perform the additions. For each addition, we store * the resulting y-coordinate and the z-ratio, since we only have enough memory to * store two field elements. These are sufficient to efficiently undo the isomorphism * and recompute all the `x`s. @@ -166,34 +166,34 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(const d_ge.y = d.y; d_ge.infinity = 0; - rustsecp256k1zkp_v0_5_0_ge_set_gej_zinv(&p_ge, a, &d.z); + rustsecp256k1zkp_v0_6_0_ge_set_gej_zinv(&p_ge, a, &d.z); pj.x = p_ge.x; pj.y = p_ge.y; pj.z = a->z; pj.infinity = 0; for (i = 0; i < (n - 1); i++) { - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&pj.y); - rustsecp256k1zkp_v0_5_0_fe_to_storage(&pre[i].y, &pj.y); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&pj, &pj, &d_ge, &zr); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&zr); - rustsecp256k1zkp_v0_5_0_fe_to_storage(&pre[i].x, &zr); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&pj.y); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&pre[i].y, &pj.y); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&pj, &pj, &d_ge, &zr); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&zr); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&pre[i].x, &zr); } /* Invert d.z in the same batch, preserving pj.z so we can extract 1/d.z */ - rustsecp256k1zkp_v0_5_0_fe_mul(&zi, &pj.z, &d.z); - rustsecp256k1zkp_v0_5_0_fe_inv_var(&zi, &zi); + rustsecp256k1zkp_v0_6_0_fe_mul(&zi, &pj.z, &d.z); + rustsecp256k1zkp_v0_6_0_fe_inv_var(&zi, &zi); /* Directly set `pre[n - 1]` to `pj`, saving the inverted z-coordinate so * that we can combine it with the saved z-ratios to compute the other zs * without any more inversions. */ - rustsecp256k1zkp_v0_5_0_ge_set_gej_zinv(&p_ge, &pj, &zi); - rustsecp256k1zkp_v0_5_0_ge_to_storage(&pre[n - 1], &p_ge); + rustsecp256k1zkp_v0_6_0_ge_set_gej_zinv(&p_ge, &pj, &zi); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&pre[n - 1], &p_ge); /* Compute the actual x-coordinate of D, which will be needed below. */ - rustsecp256k1zkp_v0_5_0_fe_mul(&d.z, &zi, &pj.z); /* d.z = 1/d.z */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&dx_over_dz_squared, &d.z); - rustsecp256k1zkp_v0_5_0_fe_mul(&dx_over_dz_squared, &dx_over_dz_squared, &d.x); + rustsecp256k1zkp_v0_6_0_fe_mul(&d.z, &zi, &pj.z); /* d.z = 1/d.z */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&dx_over_dz_squared, &d.z); + rustsecp256k1zkp_v0_6_0_fe_mul(&dx_over_dz_squared, &dx_over_dz_squared, &d.x); /* Going into the second loop, we have set `pre[n-1]` to its final affine * form, but still need to set `pre[i]` for `i` in 0 through `n-2`. We @@ -217,21 +217,21 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(const */ i = n - 1; while (i > 0) { - rustsecp256k1zkp_v0_5_0_fe zi2, zi3; - const rustsecp256k1zkp_v0_5_0_fe *rzr; + rustsecp256k1zkp_v0_6_0_fe zi2, zi3; + const rustsecp256k1zkp_v0_6_0_fe *rzr; i--; - rustsecp256k1zkp_v0_5_0_ge_from_storage(&p_ge, &pre[i]); + rustsecp256k1zkp_v0_6_0_ge_from_storage(&p_ge, &pre[i]); /* For each remaining point, we extract the z-ratio from the stored * x-coordinate, compute its z^-1 from that, and compute the full * point from that. */ rzr = &p_ge.x; - rustsecp256k1zkp_v0_5_0_fe_mul(&zi, &zi, rzr); - rustsecp256k1zkp_v0_5_0_fe_sqr(&zi2, &zi); - rustsecp256k1zkp_v0_5_0_fe_mul(&zi3, &zi2, &zi); + rustsecp256k1zkp_v0_6_0_fe_mul(&zi, &zi, rzr); + rustsecp256k1zkp_v0_6_0_fe_sqr(&zi2, &zi); + rustsecp256k1zkp_v0_6_0_fe_mul(&zi3, &zi2, &zi); /* To compute the actual x-coordinate, we use the stored z ratio and - * y-coordinate, which we obtained from `rustsecp256k1zkp_v0_5_0_gej_add_ge_var` + * y-coordinate, which we obtained from `rustsecp256k1zkp_v0_6_0_gej_add_ge_var` * in the loop above, as well as the inverse of the square of its * z-coordinate. We store the latter in the `zi2` variable, which is * computed iteratively starting from the overall Z inverse then @@ -263,13 +263,13 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(const * X = d_x / d_z^2 - rzr / z^2 * = dx_over_dz_squared - rzr * zi2 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&p_ge.x, rzr, &zi2); - rustsecp256k1zkp_v0_5_0_fe_negate(&p_ge.x, &p_ge.x, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&p_ge.x, &dx_over_dz_squared); + rustsecp256k1zkp_v0_6_0_fe_mul(&p_ge.x, rzr, &zi2); + rustsecp256k1zkp_v0_6_0_fe_negate(&p_ge.x, &p_ge.x, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&p_ge.x, &dx_over_dz_squared); /* y is stored_y/z^3, as we expect */ - rustsecp256k1zkp_v0_5_0_fe_mul(&p_ge.y, &p_ge.y, &zi3); + rustsecp256k1zkp_v0_6_0_fe_mul(&p_ge.y, &p_ge.y, &zi3); /* Store */ - rustsecp256k1zkp_v0_5_0_ge_to_storage(&pre[i], &p_ge); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&pre[i], &p_ge); } } @@ -283,7 +283,7 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(const *(r) = (pre)[((n)-1)/2]; \ } else { \ *(r) = (pre)[(-(n)-1)/2]; \ - rustsecp256k1zkp_v0_5_0_fe_negate(&((r)->y), &((r)->y), 1); \ + rustsecp256k1zkp_v0_6_0_fe_negate(&((r)->y), &((r)->y), 1); \ } \ } while(0) @@ -292,25 +292,25 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(const VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ if ((n) > 0) { \ - rustsecp256k1zkp_v0_5_0_ge_from_storage((r), &(pre)[((n)-1)/2]); \ + rustsecp256k1zkp_v0_6_0_ge_from_storage((r), &(pre)[((n)-1)/2]); \ } else { \ - rustsecp256k1zkp_v0_5_0_ge_from_storage((r), &(pre)[(-(n)-1)/2]); \ - rustsecp256k1zkp_v0_5_0_fe_negate(&((r)->y), &((r)->y), 1); \ + rustsecp256k1zkp_v0_6_0_ge_from_storage((r), &(pre)[(-(n)-1)/2]); \ + rustsecp256k1zkp_v0_6_0_fe_negate(&((r)->y), &((r)->y), 1); \ } \ } while(0) static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE = - ROUND_TO_ALIGN(sizeof((*((rustsecp256k1zkp_v0_5_0_ecmult_context*) NULL)->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) - + ROUND_TO_ALIGN(sizeof((*((rustsecp256k1zkp_v0_5_0_ecmult_context*) NULL)->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) + ROUND_TO_ALIGN(sizeof((*((rustsecp256k1zkp_v0_6_0_ecmult_context*) NULL)->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) + + ROUND_TO_ALIGN(sizeof((*((rustsecp256k1zkp_v0_6_0_ecmult_context*) NULL)->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) ; -static void rustsecp256k1zkp_v0_5_0_ecmult_context_init(rustsecp256k1zkp_v0_5_0_ecmult_context *ctx) { +static void rustsecp256k1zkp_v0_6_0_ecmult_context_init(rustsecp256k1zkp_v0_6_0_ecmult_context *ctx) { ctx->pre_g = NULL; ctx->pre_g_128 = NULL; } -static void rustsecp256k1zkp_v0_5_0_ecmult_context_build(rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, void **prealloc) { - rustsecp256k1zkp_v0_5_0_gej gj; +static void rustsecp256k1zkp_v0_6_0_ecmult_context_build(rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, void **prealloc) { + rustsecp256k1zkp_v0_6_0_gej gj; void* const base = *prealloc; size_t const prealloc_size = SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; @@ -319,52 +319,52 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_context_build(rustsecp256k1zkp_v0_5_0 } /* get the generator */ - rustsecp256k1zkp_v0_5_0_gej_set_ge(&gj, &rustsecp256k1zkp_v0_5_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&gj, &rustsecp256k1zkp_v0_6_0_ge_const_g); { size_t size = sizeof((*ctx->pre_g)[0]) * ((size_t)ECMULT_TABLE_SIZE(WINDOW_G)); /* check for overflow */ VERIFY_CHECK(size / sizeof((*ctx->pre_g)[0]) == ((size_t)ECMULT_TABLE_SIZE(WINDOW_G))); - ctx->pre_g = (rustsecp256k1zkp_v0_5_0_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); + ctx->pre_g = (rustsecp256k1zkp_v0_6_0_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); } /* precompute the tables with odd multiples */ - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g, &gj); + rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g, &gj); { - rustsecp256k1zkp_v0_5_0_gej g_128j; + rustsecp256k1zkp_v0_6_0_gej g_128j; int i; size_t size = sizeof((*ctx->pre_g_128)[0]) * ((size_t) ECMULT_TABLE_SIZE(WINDOW_G)); /* check for overflow */ VERIFY_CHECK(size / sizeof((*ctx->pre_g_128)[0]) == ((size_t)ECMULT_TABLE_SIZE(WINDOW_G))); - ctx->pre_g_128 = (rustsecp256k1zkp_v0_5_0_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); + ctx->pre_g_128 = (rustsecp256k1zkp_v0_6_0_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); /* calculate 2^128*generator */ g_128j = gj; for (i = 0; i < 128; i++) { - rustsecp256k1zkp_v0_5_0_gej_double_var(&g_128j, &g_128j, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&g_128j, &g_128j, NULL); } - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g_128, &g_128j); + rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g_128, &g_128j); } } -static void rustsecp256k1zkp_v0_5_0_ecmult_context_finalize_memcpy(rustsecp256k1zkp_v0_5_0_ecmult_context *dst, const rustsecp256k1zkp_v0_5_0_ecmult_context *src) { +static void rustsecp256k1zkp_v0_6_0_ecmult_context_finalize_memcpy(rustsecp256k1zkp_v0_6_0_ecmult_context *dst, const rustsecp256k1zkp_v0_6_0_ecmult_context *src) { if (src->pre_g != NULL) { /* We cast to void* first to suppress a -Wcast-align warning. */ - dst->pre_g = (rustsecp256k1zkp_v0_5_0_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g) - (unsigned char*)src)); + dst->pre_g = (rustsecp256k1zkp_v0_6_0_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g) - (unsigned char*)src)); } if (src->pre_g_128 != NULL) { - dst->pre_g_128 = (rustsecp256k1zkp_v0_5_0_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g_128) - (unsigned char*)src)); + dst->pre_g_128 = (rustsecp256k1zkp_v0_6_0_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g_128) - (unsigned char*)src)); } } -static int rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx) { +static int rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx) { return ctx->pre_g != NULL; } -static void rustsecp256k1zkp_v0_5_0_ecmult_context_clear(rustsecp256k1zkp_v0_5_0_ecmult_context *ctx) { - rustsecp256k1zkp_v0_5_0_ecmult_context_init(ctx); +static void rustsecp256k1zkp_v0_6_0_ecmult_context_clear(rustsecp256k1zkp_v0_6_0_ecmult_context *ctx) { + rustsecp256k1zkp_v0_6_0_ecmult_context_init(ctx); } /** Convert a number to WNAF notation. The number becomes represented by sum(2^i * wnaf[i], i=0..bits), @@ -374,8 +374,8 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_context_clear(rustsecp256k1zkp_v0_5_0 * - the number of set values in wnaf is returned. This number is at most 256, and at most one more * than the number of bits in the (absolute value) of the input. */ -static int rustsecp256k1zkp_v0_5_0_ecmult_wnaf(int *wnaf, int len, const rustsecp256k1zkp_v0_5_0_scalar *a, int w) { - rustsecp256k1zkp_v0_5_0_scalar s; +static int rustsecp256k1zkp_v0_6_0_ecmult_wnaf(int *wnaf, int len, const rustsecp256k1zkp_v0_6_0_scalar *a, int w) { + rustsecp256k1zkp_v0_6_0_scalar s; int last_set_bit = -1; int bit = 0; int sign = 1; @@ -389,15 +389,15 @@ static int rustsecp256k1zkp_v0_5_0_ecmult_wnaf(int *wnaf, int len, const rustsec memset(wnaf, 0, len * sizeof(wnaf[0])); s = *a; - if (rustsecp256k1zkp_v0_5_0_scalar_get_bits(&s, 255, 1)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, &s); + if (rustsecp256k1zkp_v0_6_0_scalar_get_bits(&s, 255, 1)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, &s); sign = -1; } while (bit < len) { int now; int word; - if (rustsecp256k1zkp_v0_5_0_scalar_get_bits(&s, bit, 1) == (unsigned int)carry) { + if (rustsecp256k1zkp_v0_6_0_scalar_get_bits(&s, bit, 1) == (unsigned int)carry) { bit++; continue; } @@ -407,7 +407,7 @@ static int rustsecp256k1zkp_v0_5_0_ecmult_wnaf(int *wnaf, int len, const rustsec now = len - bit; } - word = rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(&s, bit, now) + carry; + word = rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(&s, bit, now) + carry; carry = (word >> (w-1)) & 1; word -= carry << w; @@ -420,14 +420,14 @@ static int rustsecp256k1zkp_v0_5_0_ecmult_wnaf(int *wnaf, int len, const rustsec #ifdef VERIFY CHECK(carry == 0); while (bit < 256) { - CHECK(rustsecp256k1zkp_v0_5_0_scalar_get_bits(&s, bit++, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_get_bits(&s, bit++, 1) == 0); } #endif return last_set_bit + 1; } -struct rustsecp256k1zkp_v0_5_0_strauss_point_state { - rustsecp256k1zkp_v0_5_0_scalar na_1, na_lam; +struct rustsecp256k1zkp_v0_6_0_strauss_point_state { + rustsecp256k1zkp_v0_6_0_scalar na_1, na_lam; int wnaf_na_1[129]; int wnaf_na_lam[129]; int bits_na_1; @@ -435,19 +435,19 @@ struct rustsecp256k1zkp_v0_5_0_strauss_point_state { size_t input_pos; }; -struct rustsecp256k1zkp_v0_5_0_strauss_state { - rustsecp256k1zkp_v0_5_0_gej* prej; - rustsecp256k1zkp_v0_5_0_fe* zr; - rustsecp256k1zkp_v0_5_0_ge* pre_a; - rustsecp256k1zkp_v0_5_0_ge* pre_a_lam; - struct rustsecp256k1zkp_v0_5_0_strauss_point_state* ps; +struct rustsecp256k1zkp_v0_6_0_strauss_state { + rustsecp256k1zkp_v0_6_0_gej* prej; + rustsecp256k1zkp_v0_6_0_fe* zr; + rustsecp256k1zkp_v0_6_0_ge* pre_a; + rustsecp256k1zkp_v0_6_0_ge* pre_a_lam; + struct rustsecp256k1zkp_v0_6_0_strauss_point_state* ps; }; -static void rustsecp256k1zkp_v0_5_0_ecmult_strauss_wnaf(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, const struct rustsecp256k1zkp_v0_5_0_strauss_state *state, rustsecp256k1zkp_v0_5_0_gej *r, size_t num, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_scalar *na, const rustsecp256k1zkp_v0_5_0_scalar *ng) { - rustsecp256k1zkp_v0_5_0_ge tmpa; - rustsecp256k1zkp_v0_5_0_fe Z; +static void rustsecp256k1zkp_v0_6_0_ecmult_strauss_wnaf(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, const struct rustsecp256k1zkp_v0_6_0_strauss_state *state, rustsecp256k1zkp_v0_6_0_gej *r, size_t num, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_scalar *na, const rustsecp256k1zkp_v0_6_0_scalar *ng) { + rustsecp256k1zkp_v0_6_0_ge tmpa; + rustsecp256k1zkp_v0_6_0_fe Z; /* Splitted G factors. */ - rustsecp256k1zkp_v0_5_0_scalar ng_1, ng_128; + rustsecp256k1zkp_v0_6_0_scalar ng_1, ng_128; int wnaf_ng_1[129]; int bits_ng_1 = 0; int wnaf_ng_128[129]; @@ -458,16 +458,16 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_strauss_wnaf(const rustsecp256k1zkp_v size_t no = 0; for (np = 0; np < num; ++np) { - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(&na[np]) || rustsecp256k1zkp_v0_5_0_gej_is_infinity(&a[np])) { + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(&na[np]) || rustsecp256k1zkp_v0_6_0_gej_is_infinity(&a[np])) { continue; } state->ps[no].input_pos = np; /* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */ - rustsecp256k1zkp_v0_5_0_scalar_split_lambda(&state->ps[no].na_1, &state->ps[no].na_lam, &na[np]); + rustsecp256k1zkp_v0_6_0_scalar_split_lambda(&state->ps[no].na_1, &state->ps[no].na_lam, &na[np]); /* build wnaf representation for na_1 and na_lam. */ - state->ps[no].bits_na_1 = rustsecp256k1zkp_v0_5_0_ecmult_wnaf(state->ps[no].wnaf_na_1, 129, &state->ps[no].na_1, WINDOW_A); - state->ps[no].bits_na_lam = rustsecp256k1zkp_v0_5_0_ecmult_wnaf(state->ps[no].wnaf_na_lam, 129, &state->ps[no].na_lam, WINDOW_A); + state->ps[no].bits_na_1 = rustsecp256k1zkp_v0_6_0_ecmult_wnaf(state->ps[no].wnaf_na_1, 129, &state->ps[no].na_1, WINDOW_A); + state->ps[no].bits_na_lam = rustsecp256k1zkp_v0_6_0_ecmult_wnaf(state->ps[no].wnaf_na_lam, 129, &state->ps[no].na_lam, WINDOW_A); VERIFY_CHECK(state->ps[no].bits_na_1 <= 129); VERIFY_CHECK(state->ps[no].bits_na_lam <= 129); if (state->ps[no].bits_na_1 > bits) { @@ -486,40 +486,40 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_strauss_wnaf(const rustsecp256k1zkp_v * the Z coordinate of the result once at the end. * The exception is the precomputed G table points, which are actually * affine. Compared to the base used for other points, they have a Z ratio - * of 1/Z, so we can use rustsecp256k1zkp_v0_5_0_gej_add_zinv_var, which uses the same + * of 1/Z, so we can use rustsecp256k1zkp_v0_6_0_gej_add_zinv_var, which uses the same * isomorphism to efficiently add with a known Z inverse. */ if (no > 0) { /* Compute the odd multiples in Jacobian form. */ - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej, state->zr, &a[state->ps[0].input_pos]); + rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej, state->zr, &a[state->ps[0].input_pos]); for (np = 1; np < no; ++np) { - rustsecp256k1zkp_v0_5_0_gej tmp = a[state->ps[np].input_pos]; + rustsecp256k1zkp_v0_6_0_gej tmp = a[state->ps[np].input_pos]; #ifdef VERIFY - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); #endif - rustsecp256k1zkp_v0_5_0_gej_rescale(&tmp, &(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); - rustsecp256k1zkp_v0_5_0_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &tmp); - rustsecp256k1zkp_v0_5_0_fe_mul(state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &(a[state->ps[np].input_pos].z)); + rustsecp256k1zkp_v0_6_0_gej_rescale(&tmp, &(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); + rustsecp256k1zkp_v0_6_0_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &tmp); + rustsecp256k1zkp_v0_6_0_fe_mul(state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &(a[state->ps[np].input_pos].z)); } /* Bring them to the same Z denominator. */ - rustsecp256k1zkp_v0_5_0_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A) * no, state->pre_a, &Z, state->prej, state->zr); + rustsecp256k1zkp_v0_6_0_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A) * no, state->pre_a, &Z, state->prej, state->zr); } else { - rustsecp256k1zkp_v0_5_0_fe_set_int(&Z, 1); + rustsecp256k1zkp_v0_6_0_fe_set_int(&Z, 1); } for (np = 0; np < no; ++np) { for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { - rustsecp256k1zkp_v0_5_0_ge_mul_lambda(&state->pre_a_lam[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i]); + rustsecp256k1zkp_v0_6_0_ge_mul_lambda(&state->pre_a_lam[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i]); } } if (ng) { /* split ng into ng_1 and ng_128 (where gn = gn_1 + gn_128*2^128, and gn_1 and gn_128 are ~128 bit) */ - rustsecp256k1zkp_v0_5_0_scalar_split_128(&ng_1, &ng_128, ng); + rustsecp256k1zkp_v0_6_0_scalar_split_128(&ng_1, &ng_128, ng); /* Build wnaf representation for ng_1 and ng_128 */ - bits_ng_1 = rustsecp256k1zkp_v0_5_0_ecmult_wnaf(wnaf_ng_1, 129, &ng_1, WINDOW_G); - bits_ng_128 = rustsecp256k1zkp_v0_5_0_ecmult_wnaf(wnaf_ng_128, 129, &ng_128, WINDOW_G); + bits_ng_1 = rustsecp256k1zkp_v0_6_0_ecmult_wnaf(wnaf_ng_1, 129, &ng_1, WINDOW_G); + bits_ng_128 = rustsecp256k1zkp_v0_6_0_ecmult_wnaf(wnaf_ng_128, 129, &ng_128, WINDOW_G); if (bits_ng_1 > bits) { bits = bits_ng_1; } @@ -528,102 +528,102 @@ static void rustsecp256k1zkp_v0_5_0_ecmult_strauss_wnaf(const rustsecp256k1zkp_v } } - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); for (i = bits - 1; i >= 0; i--) { int n; - rustsecp256k1zkp_v0_5_0_gej_double_var(r, r, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(r, r, NULL); for (np = 0; np < no; ++np) { if (i < state->ps[np].bits_na_1 && (n = state->ps[np].wnaf_na_1[i])) { ECMULT_TABLE_GET_GE(&tmpa, state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(r, r, &tmpa, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(r, r, &tmpa, NULL); } if (i < state->ps[np].bits_na_lam && (n = state->ps[np].wnaf_na_lam[i])) { ECMULT_TABLE_GET_GE(&tmpa, state->pre_a_lam + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(r, r, &tmpa, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(r, r, &tmpa, NULL); } } if (i < bits_ng_1 && (n = wnaf_ng_1[i])) { ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g, n, WINDOW_G); - rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(r, r, &tmpa, &Z); + rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(r, r, &tmpa, &Z); } if (i < bits_ng_128 && (n = wnaf_ng_128[i])) { ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g_128, n, WINDOW_G); - rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(r, r, &tmpa, &Z); + rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(r, r, &tmpa, &Z); } } if (!r->infinity) { - rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &r->z, &Z); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &r->z, &Z); } } -static void rustsecp256k1zkp_v0_5_0_ecmult(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_scalar *na, const rustsecp256k1zkp_v0_5_0_scalar *ng) { - rustsecp256k1zkp_v0_5_0_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1zkp_v0_5_0_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1zkp_v0_5_0_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; - struct rustsecp256k1zkp_v0_5_0_strauss_point_state ps[1]; - rustsecp256k1zkp_v0_5_0_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; - struct rustsecp256k1zkp_v0_5_0_strauss_state state; +static void rustsecp256k1zkp_v0_6_0_ecmult(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_scalar *na, const rustsecp256k1zkp_v0_6_0_scalar *ng) { + rustsecp256k1zkp_v0_6_0_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1zkp_v0_6_0_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1zkp_v0_6_0_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; + struct rustsecp256k1zkp_v0_6_0_strauss_point_state ps[1]; + rustsecp256k1zkp_v0_6_0_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; + struct rustsecp256k1zkp_v0_6_0_strauss_state state; state.prej = prej; state.zr = zr; state.pre_a = pre_a; state.pre_a_lam = pre_a_lam; state.ps = ps; - rustsecp256k1zkp_v0_5_0_ecmult_strauss_wnaf(ctx, &state, r, 1, a, na, ng); + rustsecp256k1zkp_v0_6_0_ecmult_strauss_wnaf(ctx, &state, r, 1, a, na, ng); } -static size_t rustsecp256k1zkp_v0_5_0_strauss_scratch_size(size_t n_points) { - static const size_t point_size = (2 * sizeof(rustsecp256k1zkp_v0_5_0_ge) + sizeof(rustsecp256k1zkp_v0_5_0_gej) + sizeof(rustsecp256k1zkp_v0_5_0_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct rustsecp256k1zkp_v0_5_0_strauss_point_state) + sizeof(rustsecp256k1zkp_v0_5_0_gej) + sizeof(rustsecp256k1zkp_v0_5_0_scalar); +static size_t rustsecp256k1zkp_v0_6_0_strauss_scratch_size(size_t n_points) { + static const size_t point_size = (2 * sizeof(rustsecp256k1zkp_v0_6_0_ge) + sizeof(rustsecp256k1zkp_v0_6_0_gej) + sizeof(rustsecp256k1zkp_v0_6_0_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct rustsecp256k1zkp_v0_6_0_strauss_point_state) + sizeof(rustsecp256k1zkp_v0_6_0_gej) + sizeof(rustsecp256k1zkp_v0_6_0_scalar); return n_points*point_size; } -static int rustsecp256k1zkp_v0_5_0_ecmult_strauss_batch(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { - rustsecp256k1zkp_v0_5_0_gej* points; - rustsecp256k1zkp_v0_5_0_scalar* scalars; - struct rustsecp256k1zkp_v0_5_0_strauss_state state; +static int rustsecp256k1zkp_v0_6_0_ecmult_strauss_batch(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_scratch *scratch, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { + rustsecp256k1zkp_v0_6_0_gej* points; + rustsecp256k1zkp_v0_6_0_scalar* scalars; + struct rustsecp256k1zkp_v0_6_0_strauss_state state; size_t i; - const size_t scratch_checkpoint = rustsecp256k1zkp_v0_5_0_scratch_checkpoint(error_callback, scratch); + const size_t scratch_checkpoint = rustsecp256k1zkp_v0_6_0_scratch_checkpoint(error_callback, scratch); - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); if (inp_g_sc == NULL && n_points == 0) { return 1; } - points = (rustsecp256k1zkp_v0_5_0_gej*)rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1zkp_v0_5_0_gej)); - scalars = (rustsecp256k1zkp_v0_5_0_scalar*)rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1zkp_v0_5_0_scalar)); - state.prej = (rustsecp256k1zkp_v0_5_0_gej*)rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_5_0_gej)); - state.zr = (rustsecp256k1zkp_v0_5_0_fe*)rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_5_0_fe)); - state.pre_a = (rustsecp256k1zkp_v0_5_0_ge*)rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_5_0_ge)); - state.pre_a_lam = (rustsecp256k1zkp_v0_5_0_ge*)rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_5_0_ge)); - state.ps = (struct rustsecp256k1zkp_v0_5_0_strauss_point_state*)rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, n_points * sizeof(struct rustsecp256k1zkp_v0_5_0_strauss_point_state)); + points = (rustsecp256k1zkp_v0_6_0_gej*)rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1zkp_v0_6_0_gej)); + scalars = (rustsecp256k1zkp_v0_6_0_scalar*)rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1zkp_v0_6_0_scalar)); + state.prej = (rustsecp256k1zkp_v0_6_0_gej*)rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_6_0_gej)); + state.zr = (rustsecp256k1zkp_v0_6_0_fe*)rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_6_0_fe)); + state.pre_a = (rustsecp256k1zkp_v0_6_0_ge*)rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_6_0_ge)); + state.pre_a_lam = (rustsecp256k1zkp_v0_6_0_ge*)rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1zkp_v0_6_0_ge)); + state.ps = (struct rustsecp256k1zkp_v0_6_0_strauss_point_state*)rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, n_points * sizeof(struct rustsecp256k1zkp_v0_6_0_strauss_point_state)); if (points == NULL || scalars == NULL || state.prej == NULL || state.zr == NULL || state.pre_a == NULL || state.pre_a_lam == NULL || state.ps == NULL) { - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } for (i = 0; i < n_points; i++) { - rustsecp256k1zkp_v0_5_0_ge point; + rustsecp256k1zkp_v0_6_0_ge point; if (!cb(&scalars[i], &point, i+cb_offset, cbdata)) { - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } - rustsecp256k1zkp_v0_5_0_gej_set_ge(&points[i], &point); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&points[i], &point); } - rustsecp256k1zkp_v0_5_0_ecmult_strauss_wnaf(ctx, &state, r, n_points, points, scalars, inp_g_sc); - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1zkp_v0_6_0_ecmult_strauss_wnaf(ctx, &state, r, n_points, points, scalars, inp_g_sc); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 1; } -/* Wrapper for rustsecp256k1zkp_v0_5_0_ecmult_multi_func interface */ -static int rustsecp256k1zkp_v0_5_0_ecmult_strauss_batch_single(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_ecmult_context *actx, rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void *cbdata, size_t n) { - return rustsecp256k1zkp_v0_5_0_ecmult_strauss_batch(error_callback, actx, scratch, r, inp_g_sc, cb, cbdata, n, 0); +/* Wrapper for rustsecp256k1zkp_v0_6_0_ecmult_multi_func interface */ +static int rustsecp256k1zkp_v0_6_0_ecmult_strauss_batch_single(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_ecmult_context *actx, rustsecp256k1zkp_v0_6_0_scratch *scratch, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void *cbdata, size_t n) { + return rustsecp256k1zkp_v0_6_0_ecmult_strauss_batch(error_callback, actx, scratch, r, inp_g_sc, cb, cbdata, n, 0); } -static size_t rustsecp256k1zkp_v0_5_0_strauss_max_points(const rustsecp256k1zkp_v0_5_0_callback* error_callback, rustsecp256k1zkp_v0_5_0_scratch *scratch) { - return rustsecp256k1zkp_v0_5_0_scratch_max_allocation(error_callback, scratch, STRAUSS_SCRATCH_OBJECTS) / rustsecp256k1zkp_v0_5_0_strauss_scratch_size(1); +static size_t rustsecp256k1zkp_v0_6_0_strauss_max_points(const rustsecp256k1zkp_v0_6_0_callback* error_callback, rustsecp256k1zkp_v0_6_0_scratch *scratch) { + return rustsecp256k1zkp_v0_6_0_scratch_max_allocation(error_callback, scratch, STRAUSS_SCRATCH_OBJECTS) / rustsecp256k1zkp_v0_6_0_strauss_scratch_size(1); } /** Convert a number to WNAF notation. @@ -633,25 +633,25 @@ static size_t rustsecp256k1zkp_v0_5_0_strauss_max_points(const rustsecp256k1zkp_ * - the number of words set is always WNAF_SIZE(w) * - the returned skew is 0 or 1 */ -static int rustsecp256k1zkp_v0_5_0_wnaf_fixed(int *wnaf, const rustsecp256k1zkp_v0_5_0_scalar *s, int w) { +static int rustsecp256k1zkp_v0_6_0_wnaf_fixed(int *wnaf, const rustsecp256k1zkp_v0_6_0_scalar *s, int w) { int skew = 0; int pos; int max_pos; int last_w; - const rustsecp256k1zkp_v0_5_0_scalar *work = s; + const rustsecp256k1zkp_v0_6_0_scalar *work = s; - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(s)) { + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(s)) { for (pos = 0; pos < WNAF_SIZE(w); pos++) { wnaf[pos] = 0; } return 0; } - if (rustsecp256k1zkp_v0_5_0_scalar_is_even(s)) { + if (rustsecp256k1zkp_v0_6_0_scalar_is_even(s)) { skew = 1; } - wnaf[0] = rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(work, 0, w) + skew; + wnaf[0] = rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(work, 0, w) + skew; /* Compute last window size. Relevant when window size doesn't divide the * number of bits in the scalar */ last_w = WNAF_BITS - (WNAF_SIZE(w) - 1) * w; @@ -659,7 +659,7 @@ static int rustsecp256k1zkp_v0_5_0_wnaf_fixed(int *wnaf, const rustsecp256k1zkp_ /* Store the position of the first nonzero word in max_pos to allow * skipping leading zeros when calculating the wnaf. */ for (pos = WNAF_SIZE(w) - 1; pos > 0; pos--) { - int val = rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); + int val = rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); if(val != 0) { break; } @@ -669,7 +669,7 @@ static int rustsecp256k1zkp_v0_5_0_wnaf_fixed(int *wnaf, const rustsecp256k1zkp_ pos = 1; while (pos <= max_pos) { - int val = rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); + int val = rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); if ((val & 1) == 0) { wnaf[pos - 1] -= (1 << w); wnaf[pos] = (val + 1); @@ -695,14 +695,14 @@ static int rustsecp256k1zkp_v0_5_0_wnaf_fixed(int *wnaf, const rustsecp256k1zkp_ return skew; } -struct rustsecp256k1zkp_v0_5_0_pippenger_point_state { +struct rustsecp256k1zkp_v0_6_0_pippenger_point_state { int skew_na; size_t input_pos; }; -struct rustsecp256k1zkp_v0_5_0_pippenger_state { +struct rustsecp256k1zkp_v0_6_0_pippenger_state { int *wnaf_na; - struct rustsecp256k1zkp_v0_5_0_pippenger_point_state* ps; + struct rustsecp256k1zkp_v0_6_0_pippenger_point_state* ps; }; /* @@ -712,7 +712,7 @@ struct rustsecp256k1zkp_v0_5_0_pippenger_state { * to the point's wnaf[i]. Second, the buckets are added together such that * r += 1*bucket[0] + 3*bucket[1] + 5*bucket[2] + ... */ -static int rustsecp256k1zkp_v0_5_0_ecmult_pippenger_wnaf(rustsecp256k1zkp_v0_5_0_gej *buckets, int bucket_window, struct rustsecp256k1zkp_v0_5_0_pippenger_state *state, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *sc, const rustsecp256k1zkp_v0_5_0_ge *pt, size_t num) { +static int rustsecp256k1zkp_v0_6_0_ecmult_pippenger_wnaf(rustsecp256k1zkp_v0_6_0_gej *buckets, int bucket_window, struct rustsecp256k1zkp_v0_6_0_pippenger_state *state, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *sc, const rustsecp256k1zkp_v0_6_0_ge *pt, size_t num) { size_t n_wnaf = WNAF_SIZE(bucket_window+1); size_t np; size_t no = 0; @@ -720,55 +720,55 @@ static int rustsecp256k1zkp_v0_5_0_ecmult_pippenger_wnaf(rustsecp256k1zkp_v0_5_0 int j; for (np = 0; np < num; ++np) { - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(&sc[np]) || rustsecp256k1zkp_v0_5_0_ge_is_infinity(&pt[np])) { + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(&sc[np]) || rustsecp256k1zkp_v0_6_0_ge_is_infinity(&pt[np])) { continue; } state->ps[no].input_pos = np; - state->ps[no].skew_na = rustsecp256k1zkp_v0_5_0_wnaf_fixed(&state->wnaf_na[no*n_wnaf], &sc[np], bucket_window+1); + state->ps[no].skew_na = rustsecp256k1zkp_v0_6_0_wnaf_fixed(&state->wnaf_na[no*n_wnaf], &sc[np], bucket_window+1); no++; } - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); if (no == 0) { return 1; } for (i = n_wnaf - 1; i >= 0; i--) { - rustsecp256k1zkp_v0_5_0_gej running_sum; + rustsecp256k1zkp_v0_6_0_gej running_sum; for(j = 0; j < ECMULT_TABLE_SIZE(bucket_window+2); j++) { - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&buckets[j]); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&buckets[j]); } for (np = 0; np < no; ++np) { int n = state->wnaf_na[np*n_wnaf + i]; - struct rustsecp256k1zkp_v0_5_0_pippenger_point_state point_state = state->ps[np]; - rustsecp256k1zkp_v0_5_0_ge tmp; + struct rustsecp256k1zkp_v0_6_0_pippenger_point_state point_state = state->ps[np]; + rustsecp256k1zkp_v0_6_0_ge tmp; int idx; if (i == 0) { /* correct for wnaf skew */ int skew = point_state.skew_na; if (skew) { - rustsecp256k1zkp_v0_5_0_ge_neg(&tmp, &pt[point_state.input_pos]); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&buckets[0], &buckets[0], &tmp, NULL); + rustsecp256k1zkp_v0_6_0_ge_neg(&tmp, &pt[point_state.input_pos]); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&buckets[0], &buckets[0], &tmp, NULL); } } if (n > 0) { idx = (n - 1)/2; - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL); } else if (n < 0) { idx = -(n + 1)/2; - rustsecp256k1zkp_v0_5_0_ge_neg(&tmp, &pt[point_state.input_pos]); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&buckets[idx], &buckets[idx], &tmp, NULL); + rustsecp256k1zkp_v0_6_0_ge_neg(&tmp, &pt[point_state.input_pos]); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&buckets[idx], &buckets[idx], &tmp, NULL); } } for(j = 0; j < bucket_window; j++) { - rustsecp256k1zkp_v0_5_0_gej_double_var(r, r, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(r, r, NULL); } - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&running_sum); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&running_sum); /* Accumulate the sum: bucket[0] + 3*bucket[1] + 5*bucket[2] + 7*bucket[3] + ... * = bucket[0] + bucket[1] + bucket[2] + bucket[3] + ... * + 2 * (bucket[1] + 2*bucket[2] + 3*bucket[3] + ...) @@ -778,13 +778,13 @@ static int rustsecp256k1zkp_v0_5_0_ecmult_pippenger_wnaf(rustsecp256k1zkp_v0_5_0 * The doubling is done implicitly by deferring the final window doubling (of 'r'). */ for(j = ECMULT_TABLE_SIZE(bucket_window+2) - 1; j > 0; j--) { - rustsecp256k1zkp_v0_5_0_gej_add_var(&running_sum, &running_sum, &buckets[j], NULL); - rustsecp256k1zkp_v0_5_0_gej_add_var(r, r, &running_sum, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&running_sum, &running_sum, &buckets[j], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(r, r, &running_sum, NULL); } - rustsecp256k1zkp_v0_5_0_gej_add_var(&running_sum, &running_sum, &buckets[0], NULL); - rustsecp256k1zkp_v0_5_0_gej_double_var(r, r, NULL); - rustsecp256k1zkp_v0_5_0_gej_add_var(r, r, &running_sum, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&running_sum, &running_sum, &buckets[0], NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(r, r, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(r, r, &running_sum, NULL); } return 1; } @@ -793,7 +793,7 @@ static int rustsecp256k1zkp_v0_5_0_ecmult_pippenger_wnaf(rustsecp256k1zkp_v0_5_0 * Returns optimal bucket_window (number of bits of a scalar represented by a * set of buckets) for a given number of points. */ -static int rustsecp256k1zkp_v0_5_0_pippenger_bucket_window(size_t n) { +static int rustsecp256k1zkp_v0_6_0_pippenger_bucket_window(size_t n) { if (n <= 1) { return 1; } else if (n <= 4) { @@ -822,7 +822,7 @@ static int rustsecp256k1zkp_v0_5_0_pippenger_bucket_window(size_t n) { /** * Returns the maximum optimal number of points for a bucket_window. */ -static size_t rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(int bucket_window) { +static size_t rustsecp256k1zkp_v0_6_0_pippenger_bucket_window_inv(int bucket_window) { switch(bucket_window) { case 1: return 1; case 2: return 4; @@ -841,18 +841,18 @@ static size_t rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(int bucket_win } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_ecmult_endo_split(rustsecp256k1zkp_v0_5_0_scalar *s1, rustsecp256k1zkp_v0_5_0_scalar *s2, rustsecp256k1zkp_v0_5_0_ge *p1, rustsecp256k1zkp_v0_5_0_ge *p2) { - rustsecp256k1zkp_v0_5_0_scalar tmp = *s1; - rustsecp256k1zkp_v0_5_0_scalar_split_lambda(s1, s2, &tmp); - rustsecp256k1zkp_v0_5_0_ge_mul_lambda(p2, p1); +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_ecmult_endo_split(rustsecp256k1zkp_v0_6_0_scalar *s1, rustsecp256k1zkp_v0_6_0_scalar *s2, rustsecp256k1zkp_v0_6_0_ge *p1, rustsecp256k1zkp_v0_6_0_ge *p2) { + rustsecp256k1zkp_v0_6_0_scalar tmp = *s1; + rustsecp256k1zkp_v0_6_0_scalar_split_lambda(s1, s2, &tmp); + rustsecp256k1zkp_v0_6_0_ge_mul_lambda(p2, p1); - if (rustsecp256k1zkp_v0_5_0_scalar_is_high(s1)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(s1, s1); - rustsecp256k1zkp_v0_5_0_ge_neg(p1, p1); + if (rustsecp256k1zkp_v0_6_0_scalar_is_high(s1)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(s1, s1); + rustsecp256k1zkp_v0_6_0_ge_neg(p1, p1); } - if (rustsecp256k1zkp_v0_5_0_scalar_is_high(s2)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(s2, s2); - rustsecp256k1zkp_v0_5_0_ge_neg(p2, p2); + if (rustsecp256k1zkp_v0_6_0_scalar_is_high(s2)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(s2, s2); + rustsecp256k1zkp_v0_6_0_ge_neg(p2, p2); } } @@ -860,89 +860,89 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_ecmult_endo_split(rustsecp2 * Returns the scratch size required for a given number of points (excluding * base point G) without considering alignment. */ -static size_t rustsecp256k1zkp_v0_5_0_pippenger_scratch_size(size_t n_points, int bucket_window) { +static size_t rustsecp256k1zkp_v0_6_0_pippenger_scratch_size(size_t n_points, int bucket_window) { size_t entries = 2*n_points + 2; - size_t entry_size = sizeof(rustsecp256k1zkp_v0_5_0_ge) + sizeof(rustsecp256k1zkp_v0_5_0_scalar) + sizeof(struct rustsecp256k1zkp_v0_5_0_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int); - return (sizeof(rustsecp256k1zkp_v0_5_0_gej) << bucket_window) + sizeof(struct rustsecp256k1zkp_v0_5_0_pippenger_state) + entries * entry_size; + size_t entry_size = sizeof(rustsecp256k1zkp_v0_6_0_ge) + sizeof(rustsecp256k1zkp_v0_6_0_scalar) + sizeof(struct rustsecp256k1zkp_v0_6_0_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int); + return (sizeof(rustsecp256k1zkp_v0_6_0_gej) << bucket_window) + sizeof(struct rustsecp256k1zkp_v0_6_0_pippenger_state) + entries * entry_size; } -static int rustsecp256k1zkp_v0_5_0_ecmult_pippenger_batch(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { - const size_t scratch_checkpoint = rustsecp256k1zkp_v0_5_0_scratch_checkpoint(error_callback, scratch); +static int rustsecp256k1zkp_v0_6_0_ecmult_pippenger_batch(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_scratch *scratch, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { + const size_t scratch_checkpoint = rustsecp256k1zkp_v0_6_0_scratch_checkpoint(error_callback, scratch); /* Use 2(n+1) with the endomorphism, when calculating batch * sizes. The reason for +1 is that we add the G scalar to the list of * other scalars. */ size_t entries = 2*n_points + 2; - rustsecp256k1zkp_v0_5_0_ge *points; - rustsecp256k1zkp_v0_5_0_scalar *scalars; - rustsecp256k1zkp_v0_5_0_gej *buckets; - struct rustsecp256k1zkp_v0_5_0_pippenger_state *state_space; + rustsecp256k1zkp_v0_6_0_ge *points; + rustsecp256k1zkp_v0_6_0_scalar *scalars; + rustsecp256k1zkp_v0_6_0_gej *buckets; + struct rustsecp256k1zkp_v0_6_0_pippenger_state *state_space; size_t idx = 0; size_t point_idx = 0; int i, j; int bucket_window; (void)ctx; - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); if (inp_g_sc == NULL && n_points == 0) { return 1; } - bucket_window = rustsecp256k1zkp_v0_5_0_pippenger_bucket_window(n_points); - points = (rustsecp256k1zkp_v0_5_0_ge *) rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, entries * sizeof(*points)); - scalars = (rustsecp256k1zkp_v0_5_0_scalar *) rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, entries * sizeof(*scalars)); - state_space = (struct rustsecp256k1zkp_v0_5_0_pippenger_state *) rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, sizeof(*state_space)); + bucket_window = rustsecp256k1zkp_v0_6_0_pippenger_bucket_window(n_points); + points = (rustsecp256k1zkp_v0_6_0_ge *) rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, entries * sizeof(*points)); + scalars = (rustsecp256k1zkp_v0_6_0_scalar *) rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, entries * sizeof(*scalars)); + state_space = (struct rustsecp256k1zkp_v0_6_0_pippenger_state *) rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, sizeof(*state_space)); if (points == NULL || scalars == NULL || state_space == NULL) { - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } - state_space->ps = (struct rustsecp256k1zkp_v0_5_0_pippenger_point_state *) rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, entries * sizeof(*state_space->ps)); - state_space->wnaf_na = (int *) rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, entries*(WNAF_SIZE(bucket_window+1)) * sizeof(int)); - buckets = (rustsecp256k1zkp_v0_5_0_gej *) rustsecp256k1zkp_v0_5_0_scratch_alloc(error_callback, scratch, (1<ps = (struct rustsecp256k1zkp_v0_6_0_pippenger_point_state *) rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, entries * sizeof(*state_space->ps)); + state_space->wnaf_na = (int *) rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, entries*(WNAF_SIZE(bucket_window+1)) * sizeof(int)); + buckets = (rustsecp256k1zkp_v0_6_0_gej *) rustsecp256k1zkp_v0_6_0_scratch_alloc(error_callback, scratch, (1<ps == NULL || state_space->wnaf_na == NULL || buckets == NULL) { - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } if (inp_g_sc != NULL) { scalars[0] = *inp_g_sc; - points[0] = rustsecp256k1zkp_v0_5_0_ge_const_g; + points[0] = rustsecp256k1zkp_v0_6_0_ge_const_g; idx++; - rustsecp256k1zkp_v0_5_0_ecmult_endo_split(&scalars[0], &scalars[1], &points[0], &points[1]); + rustsecp256k1zkp_v0_6_0_ecmult_endo_split(&scalars[0], &scalars[1], &points[0], &points[1]); idx++; } while (point_idx < n_points) { if (!cb(&scalars[idx], &points[idx], point_idx + cb_offset, cbdata)) { - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } idx++; - rustsecp256k1zkp_v0_5_0_ecmult_endo_split(&scalars[idx - 1], &scalars[idx], &points[idx - 1], &points[idx]); + rustsecp256k1zkp_v0_6_0_ecmult_endo_split(&scalars[idx - 1], &scalars[idx], &points[idx - 1], &points[idx]); idx++; point_idx++; } - rustsecp256k1zkp_v0_5_0_ecmult_pippenger_wnaf(buckets, bucket_window, state_space, r, scalars, points, idx); + rustsecp256k1zkp_v0_6_0_ecmult_pippenger_wnaf(buckets, bucket_window, state_space, r, scalars, points, idx); /* Clear data */ for(i = 0; (size_t)i < idx; i++) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&scalars[i]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&scalars[i]); state_space->ps[i].skew_na = 0; for(j = 0; j < WNAF_SIZE(bucket_window+1); j++) { state_space->wnaf_na[i * WNAF_SIZE(bucket_window+1) + j] = 0; } } for(i = 0; i < 1< max_alloc) { break; } @@ -986,34 +986,34 @@ static size_t rustsecp256k1zkp_v0_5_0_pippenger_max_points(const rustsecp256k1zk /* Computes ecmult_multi by simply multiplying and adding each point. Does not * require a scratch space */ -static int rustsecp256k1zkp_v0_5_0_ecmult_multi_simple_var(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void *cbdata, size_t n_points) { +static int rustsecp256k1zkp_v0_6_0_ecmult_multi_simple_var(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void *cbdata, size_t n_points) { size_t point_idx; - rustsecp256k1zkp_v0_5_0_scalar szero; - rustsecp256k1zkp_v0_5_0_gej tmpj; + rustsecp256k1zkp_v0_6_0_scalar szero; + rustsecp256k1zkp_v0_6_0_gej tmpj; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&szero, 0); - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&tmpj); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&szero, 0); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&tmpj); /* r = inp_g_sc*G */ - rustsecp256k1zkp_v0_5_0_ecmult(ctx, r, &tmpj, &szero, inp_g_sc); + rustsecp256k1zkp_v0_6_0_ecmult(ctx, r, &tmpj, &szero, inp_g_sc); for (point_idx = 0; point_idx < n_points; point_idx++) { - rustsecp256k1zkp_v0_5_0_ge point; - rustsecp256k1zkp_v0_5_0_gej pointj; - rustsecp256k1zkp_v0_5_0_scalar scalar; + rustsecp256k1zkp_v0_6_0_ge point; + rustsecp256k1zkp_v0_6_0_gej pointj; + rustsecp256k1zkp_v0_6_0_scalar scalar; if (!cb(&scalar, &point, point_idx, cbdata)) { return 0; } /* r += scalar*point */ - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pointj, &point); - rustsecp256k1zkp_v0_5_0_ecmult(ctx, &tmpj, &pointj, &scalar, NULL); - rustsecp256k1zkp_v0_5_0_gej_add_var(r, r, &tmpj, NULL); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pointj, &point); + rustsecp256k1zkp_v0_6_0_ecmult(ctx, &tmpj, &pointj, &scalar, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(r, r, &tmpj, NULL); } return 1; } /* Compute the number of batches and the batch size given the maximum batch size and the * total number of points */ -static int rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n) { +static int rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n) { if (max_n_batch_points == 0) { return 0; } @@ -1031,50 +1031,50 @@ static int rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(size_t *n_batc return 1; } -typedef int (*rustsecp256k1zkp_v0_5_0_ecmult_multi_func)(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_ecmult_context*, rustsecp256k1zkp_v0_5_0_scratch*, rustsecp256k1zkp_v0_5_0_gej*, const rustsecp256k1zkp_v0_5_0_scalar*, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void*, size_t); -static int rustsecp256k1zkp_v0_5_0_ecmult_multi_var(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void *cbdata, size_t n) { +typedef int (*rustsecp256k1zkp_v0_6_0_ecmult_multi_func)(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_ecmult_context*, rustsecp256k1zkp_v0_6_0_scratch*, rustsecp256k1zkp_v0_6_0_gej*, const rustsecp256k1zkp_v0_6_0_scalar*, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void*, size_t); +static int rustsecp256k1zkp_v0_6_0_ecmult_multi_var(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, rustsecp256k1zkp_v0_6_0_scratch *scratch, rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_scalar *inp_g_sc, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void *cbdata, size_t n) { size_t i; - int (*f)(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_ecmult_context*, rustsecp256k1zkp_v0_5_0_scratch*, rustsecp256k1zkp_v0_5_0_gej*, const rustsecp256k1zkp_v0_5_0_scalar*, rustsecp256k1zkp_v0_5_0_ecmult_multi_callback cb, void*, size_t, size_t); + int (*f)(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_ecmult_context*, rustsecp256k1zkp_v0_6_0_scratch*, rustsecp256k1zkp_v0_6_0_gej*, const rustsecp256k1zkp_v0_6_0_scalar*, rustsecp256k1zkp_v0_6_0_ecmult_multi_callback cb, void*, size_t, size_t); size_t n_batches; size_t n_batch_points; - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); if (inp_g_sc == NULL && n == 0) { return 1; } else if (n == 0) { - rustsecp256k1zkp_v0_5_0_scalar szero; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&szero, 0); - rustsecp256k1zkp_v0_5_0_ecmult(ctx, r, r, &szero, inp_g_sc); + rustsecp256k1zkp_v0_6_0_scalar szero; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&szero, 0); + rustsecp256k1zkp_v0_6_0_ecmult(ctx, r, r, &szero, inp_g_sc); return 1; } if (scratch == NULL) { - return rustsecp256k1zkp_v0_5_0_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); + return rustsecp256k1zkp_v0_6_0_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); } /* Compute the batch sizes for Pippenger's algorithm given a scratch space. If it's greater than * a threshold use Pippenger's algorithm. Otherwise use Strauss' algorithm. * As a first step check if there's enough space for Pippenger's algo (which requires less space * than Strauss' algo) and if not, use the simple algorithm. */ - if (!rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1zkp_v0_5_0_pippenger_max_points(error_callback, scratch), n)) { - return rustsecp256k1zkp_v0_5_0_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); + if (!rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1zkp_v0_6_0_pippenger_max_points(error_callback, scratch), n)) { + return rustsecp256k1zkp_v0_6_0_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); } if (n_batch_points >= ECMULT_PIPPENGER_THRESHOLD) { - f = rustsecp256k1zkp_v0_5_0_ecmult_pippenger_batch; + f = rustsecp256k1zkp_v0_6_0_ecmult_pippenger_batch; } else { - if (!rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1zkp_v0_5_0_strauss_max_points(error_callback, scratch), n)) { - return rustsecp256k1zkp_v0_5_0_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); + if (!rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1zkp_v0_6_0_strauss_max_points(error_callback, scratch), n)) { + return rustsecp256k1zkp_v0_6_0_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); } - f = rustsecp256k1zkp_v0_5_0_ecmult_strauss_batch; + f = rustsecp256k1zkp_v0_6_0_ecmult_strauss_batch; } for(i = 0; i < n_batches; i++) { size_t nbp = n < n_batch_points ? n : n_batch_points; size_t offset = n_batch_points*i; - rustsecp256k1zkp_v0_5_0_gej tmp; + rustsecp256k1zkp_v0_6_0_gej tmp; if (!f(error_callback, ctx, scratch, &tmp, i == 0 ? inp_g_sc : NULL, cb, cbdata, nbp, offset)) { return 0; } - rustsecp256k1zkp_v0_5_0_gej_add_var(r, r, &tmp, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(r, r, &tmp, NULL); n -= nbp; } return 1; diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field.h b/secp256k1-zkp-sys/depend/secp256k1/src/field.h index 7aa52964..f20bf83c 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field.h @@ -35,95 +35,91 @@ /** Normalize a field element. This brings the field element to a canonical representation, reduces * its magnitude to 1, and reduces it modulo field size `p`. */ -static void rustsecp256k1zkp_v0_5_0_fe_normalize(rustsecp256k1zkp_v0_5_0_fe *r); +static void rustsecp256k1zkp_v0_6_0_fe_normalize(rustsecp256k1zkp_v0_6_0_fe *r); /** Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize. */ -static void rustsecp256k1zkp_v0_5_0_fe_normalize_weak(rustsecp256k1zkp_v0_5_0_fe *r); +static void rustsecp256k1zkp_v0_6_0_fe_normalize_weak(rustsecp256k1zkp_v0_6_0_fe *r); /** Normalize a field element, without constant-time guarantee. */ -static void rustsecp256k1zkp_v0_5_0_fe_normalize_var(rustsecp256k1zkp_v0_5_0_fe *r); +static void rustsecp256k1zkp_v0_6_0_fe_normalize_var(rustsecp256k1zkp_v0_6_0_fe *r); -/** Verify whether a field element represents zero i.e. would normalize to a zero value. The field - * implementation may optionally normalize the input, but this should not be relied upon. */ -static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(rustsecp256k1zkp_v0_5_0_fe *r); +/** Verify whether a field element represents zero i.e. would normalize to a zero value. */ +static int rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(const rustsecp256k1zkp_v0_6_0_fe *r); -/** Verify whether a field element represents zero i.e. would normalize to a zero value. The field - * implementation may optionally normalize the input, but this should not be relied upon. */ -static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(rustsecp256k1zkp_v0_5_0_fe *r); +/** Verify whether a field element represents zero i.e. would normalize to a zero value, + * without constant-time guarantee. */ +static int rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(const rustsecp256k1zkp_v0_6_0_fe *r); /** Set a field element equal to a small integer. Resulting field element is normalized. */ -static void rustsecp256k1zkp_v0_5_0_fe_set_int(rustsecp256k1zkp_v0_5_0_fe *r, int a); +static void rustsecp256k1zkp_v0_6_0_fe_set_int(rustsecp256k1zkp_v0_6_0_fe *r, int a); /** Sets a field element equal to zero, initializing all fields. */ -static void rustsecp256k1zkp_v0_5_0_fe_clear(rustsecp256k1zkp_v0_5_0_fe *a); +static void rustsecp256k1zkp_v0_6_0_fe_clear(rustsecp256k1zkp_v0_6_0_fe *a); /** Verify whether a field element is zero. Requires the input to be normalized. */ -static int rustsecp256k1zkp_v0_5_0_fe_is_zero(const rustsecp256k1zkp_v0_5_0_fe *a); +static int rustsecp256k1zkp_v0_6_0_fe_is_zero(const rustsecp256k1zkp_v0_6_0_fe *a); /** Check the "oddness" of a field element. Requires the input to be normalized. */ -static int rustsecp256k1zkp_v0_5_0_fe_is_odd(const rustsecp256k1zkp_v0_5_0_fe *a); +static int rustsecp256k1zkp_v0_6_0_fe_is_odd(const rustsecp256k1zkp_v0_6_0_fe *a); /** Compare two field elements. Requires magnitude-1 inputs. */ -static int rustsecp256k1zkp_v0_5_0_fe_equal(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b); +static int rustsecp256k1zkp_v0_6_0_fe_equal(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b); -/** Same as rustsecp256k1zkp_v0_5_0_fe_equal, but may be variable time. */ -static int rustsecp256k1zkp_v0_5_0_fe_equal_var(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b); +/** Same as rustsecp256k1zkp_v0_6_0_fe_equal, but may be variable time. */ +static int rustsecp256k1zkp_v0_6_0_fe_equal_var(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b); /** Compare two field elements. Requires both inputs to be normalized */ -static int rustsecp256k1zkp_v0_5_0_fe_cmp_var(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b); +static int rustsecp256k1zkp_v0_6_0_fe_cmp_var(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b); /** Set a field element equal to 32-byte big endian value. If successful, the resulting field element is normalized. */ -static int rustsecp256k1zkp_v0_5_0_fe_set_b32(rustsecp256k1zkp_v0_5_0_fe *r, const unsigned char *a); +static int rustsecp256k1zkp_v0_6_0_fe_set_b32(rustsecp256k1zkp_v0_6_0_fe *r, const unsigned char *a); /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ -static void rustsecp256k1zkp_v0_5_0_fe_get_b32(unsigned char *r, const rustsecp256k1zkp_v0_5_0_fe *a); +static void rustsecp256k1zkp_v0_6_0_fe_get_b32(unsigned char *r, const rustsecp256k1zkp_v0_6_0_fe *a); /** Set a field element equal to the additive inverse of another. Takes a maximum magnitude of the input * as an argument. The magnitude of the output is one higher. */ -static void rustsecp256k1zkp_v0_5_0_fe_negate(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, int m); +static void rustsecp256k1zkp_v0_6_0_fe_negate(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, int m); /** Multiplies the passed field element with a small integer constant. Multiplies the magnitude by that * small integer. */ -static void rustsecp256k1zkp_v0_5_0_fe_mul_int(rustsecp256k1zkp_v0_5_0_fe *r, int a); +static void rustsecp256k1zkp_v0_6_0_fe_mul_int(rustsecp256k1zkp_v0_6_0_fe *r, int a); /** Adds a field element to another. The result has the sum of the inputs' magnitudes as magnitude. */ -static void rustsecp256k1zkp_v0_5_0_fe_add(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a); +static void rustsecp256k1zkp_v0_6_0_fe_add(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a); /** Sets a field element to be the product of two others. Requires the inputs' magnitudes to be at most 8. * The output magnitude is 1 (but not guaranteed to be normalized). */ -static void rustsecp256k1zkp_v0_5_0_fe_mul(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe * SECP256K1_RESTRICT b); +static void rustsecp256k1zkp_v0_6_0_fe_mul(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe * SECP256K1_RESTRICT b); /** Sets a field element to be the square of another. Requires the input's magnitude to be at most 8. * The output magnitude is 1 (but not guaranteed to be normalized). */ -static void rustsecp256k1zkp_v0_5_0_fe_sqr(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a); +static void rustsecp256k1zkp_v0_6_0_fe_sqr(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a); /** If a has a square root, it is computed in r and 1 is returned. If a does not * have a square root, the root of its negation is computed and 0 is returned. * The input's magnitude can be at most 8. The output magnitude is 1 (but not * guaranteed to be normalized). The result in r will always be a square * itself. */ -static int rustsecp256k1zkp_v0_5_0_fe_sqrt(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a); - -/** Checks whether a field element is a quadratic residue. */ -static int rustsecp256k1zkp_v0_5_0_fe_is_quad_var(const rustsecp256k1zkp_v0_5_0_fe *a); +static int rustsecp256k1zkp_v0_6_0_fe_sqrt(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a); /** Sets a field element to be the (modular) inverse of another. Requires the input's magnitude to be * at most 8. The output magnitude is 1 (but not guaranteed to be normalized). */ -static void rustsecp256k1zkp_v0_5_0_fe_inv(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a); +static void rustsecp256k1zkp_v0_6_0_fe_inv(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a); -/** Potentially faster version of rustsecp256k1zkp_v0_5_0_fe_inv, without constant-time guarantee. */ -static void rustsecp256k1zkp_v0_5_0_fe_inv_var(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a); +/** Potentially faster version of rustsecp256k1zkp_v0_6_0_fe_inv, without constant-time guarantee. */ +static void rustsecp256k1zkp_v0_6_0_fe_inv_var(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a); /** Convert a field element to the storage type. */ -static void rustsecp256k1zkp_v0_5_0_fe_to_storage(rustsecp256k1zkp_v0_5_0_fe_storage *r, const rustsecp256k1zkp_v0_5_0_fe *a); +static void rustsecp256k1zkp_v0_6_0_fe_to_storage(rustsecp256k1zkp_v0_6_0_fe_storage *r, const rustsecp256k1zkp_v0_6_0_fe *a); /** Convert a field element back from the storage type. */ -static void rustsecp256k1zkp_v0_5_0_fe_from_storage(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe_storage *a); +static void rustsecp256k1zkp_v0_6_0_fe_from_storage(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe_storage *a); /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ -static void rustsecp256k1zkp_v0_5_0_fe_storage_cmov(rustsecp256k1zkp_v0_5_0_fe_storage *r, const rustsecp256k1zkp_v0_5_0_fe_storage *a, int flag); +static void rustsecp256k1zkp_v0_6_0_fe_storage_cmov(rustsecp256k1zkp_v0_6_0_fe_storage *r, const rustsecp256k1zkp_v0_6_0_fe_storage *a, int flag); /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ -static void rustsecp256k1zkp_v0_5_0_fe_cmov(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, int flag); +static void rustsecp256k1zkp_v0_6_0_fe_cmov(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, int flag); #endif /* SECP256K1_FIELD_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26.h b/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26.h index 982797a7..98348346 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26.h @@ -18,7 +18,7 @@ typedef struct { int magnitude; int normalized; #endif -} rustsecp256k1zkp_v0_5_0_fe; +} rustsecp256k1zkp_v0_6_0_fe; /* Unpacks a constant into a overlapping multi-limbed FE element. */ #define SECP256K1_FE_CONST_INNER(d7, d6, d5, d4, d3, d2, d1, d0) { \ @@ -42,7 +42,7 @@ typedef struct { typedef struct { uint32_t n[8]; -} rustsecp256k1zkp_v0_5_0_fe_storage; +} rustsecp256k1zkp_v0_6_0_fe_storage; #define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{ (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) }} #define SECP256K1_FE_STORAGE_CONST_GET(d) d.n[7], d.n[6], d.n[5], d.n[4],d.n[3], d.n[2], d.n[1], d.n[0] diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26_impl.h index 5ae56b00..2b036d88 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field_10x26_impl.h @@ -9,9 +9,10 @@ #include "util.h" #include "field.h" +#include "modinv32_impl.h" #ifdef VERIFY -static void rustsecp256k1zkp_v0_5_0_fe_verify(const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_verify(const rustsecp256k1zkp_v0_6_0_fe *a) { const uint32_t *d = a->n; int m = a->normalized ? 1 : 2 * a->magnitude, r = 1; r &= (d[0] <= 0x3FFFFFFUL * m); @@ -39,7 +40,7 @@ static void rustsecp256k1zkp_v0_5_0_fe_verify(const rustsecp256k1zkp_v0_5_0_fe * } #endif -static void rustsecp256k1zkp_v0_5_0_fe_normalize(rustsecp256k1zkp_v0_5_0_fe *r) { +static void rustsecp256k1zkp_v0_6_0_fe_normalize(rustsecp256k1zkp_v0_6_0_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -90,11 +91,11 @@ static void rustsecp256k1zkp_v0_5_0_fe_normalize(rustsecp256k1zkp_v0_5_0_fe *r) #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static void rustsecp256k1zkp_v0_5_0_fe_normalize_weak(rustsecp256k1zkp_v0_5_0_fe *r) { +static void rustsecp256k1zkp_v0_6_0_fe_normalize_weak(rustsecp256k1zkp_v0_6_0_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -121,11 +122,11 @@ static void rustsecp256k1zkp_v0_5_0_fe_normalize_weak(rustsecp256k1zkp_v0_5_0_fe #ifdef VERIFY r->magnitude = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static void rustsecp256k1zkp_v0_5_0_fe_normalize_var(rustsecp256k1zkp_v0_5_0_fe *r) { +static void rustsecp256k1zkp_v0_6_0_fe_normalize_var(rustsecp256k1zkp_v0_6_0_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -177,11 +178,11 @@ static void rustsecp256k1zkp_v0_5_0_fe_normalize_var(rustsecp256k1zkp_v0_5_0_fe #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(rustsecp256k1zkp_v0_5_0_fe *r) { +static int rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(const rustsecp256k1zkp_v0_6_0_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -210,7 +211,7 @@ static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(rustsecp256k1zkp_v0_5_0 return (z0 == 0) | (z1 == 0x3FFFFFFUL); } -static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(rustsecp256k1zkp_v0_5_0_fe *r) { +static int rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(const rustsecp256k1zkp_v0_6_0_fe *r) { uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; uint32_t z0, z1; uint32_t x; @@ -262,34 +263,34 @@ static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(rustsecp256k1zkp_v0 return (z0 == 0) | (z1 == 0x3FFFFFFUL); } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_set_int(rustsecp256k1zkp_v0_5_0_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_set_int(rustsecp256k1zkp_v0_6_0_fe *r, int a) { r->n[0] = a; r->n[1] = r->n[2] = r->n[3] = r->n[4] = r->n[5] = r->n[6] = r->n[7] = r->n[8] = r->n[9] = 0; #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_fe_is_zero(const rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_fe_is_zero(const rustsecp256k1zkp_v0_6_0_fe *a) { const uint32_t *t = a->n; #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif return (t[0] | t[1] | t[2] | t[3] | t[4] | t[5] | t[6] | t[7] | t[8] | t[9]) == 0; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_fe_is_odd(const rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_fe_is_odd(const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif return a->n[0] & 1; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_clear(rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_clear(rustsecp256k1zkp_v0_6_0_fe *a) { int i; #ifdef VERIFY a->magnitude = 0; @@ -300,13 +301,13 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_clear(rustsecp256k1zkp_v } } -static int rustsecp256k1zkp_v0_5_0_fe_cmp_var(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b) { +static int rustsecp256k1zkp_v0_6_0_fe_cmp_var(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b) { int i; #ifdef VERIFY VERIFY_CHECK(a->normalized); VERIFY_CHECK(b->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); - rustsecp256k1zkp_v0_5_0_fe_verify(b); + rustsecp256k1zkp_v0_6_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(b); #endif for (i = 9; i >= 0; i--) { if (a->n[i] > b->n[i]) { @@ -319,7 +320,7 @@ static int rustsecp256k1zkp_v0_5_0_fe_cmp_var(const rustsecp256k1zkp_v0_5_0_fe * return 0; } -static int rustsecp256k1zkp_v0_5_0_fe_set_b32(rustsecp256k1zkp_v0_5_0_fe *r, const unsigned char *a) { +static int rustsecp256k1zkp_v0_6_0_fe_set_b32(rustsecp256k1zkp_v0_6_0_fe *r, const unsigned char *a) { int ret; r->n[0] = (uint32_t)a[31] | ((uint32_t)a[30] << 8) | ((uint32_t)a[29] << 16) | ((uint32_t)(a[28] & 0x3) << 24); r->n[1] = (uint32_t)((a[28] >> 2) & 0x3f) | ((uint32_t)a[27] << 6) | ((uint32_t)a[26] << 14) | ((uint32_t)(a[25] & 0xf) << 22); @@ -337,7 +338,7 @@ static int rustsecp256k1zkp_v0_5_0_fe_set_b32(rustsecp256k1zkp_v0_5_0_fe *r, con r->magnitude = 1; if (ret) { r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); } else { r->normalized = 0; } @@ -346,10 +347,10 @@ static int rustsecp256k1zkp_v0_5_0_fe_set_b32(rustsecp256k1zkp_v0_5_0_fe *r, con } /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ -static void rustsecp256k1zkp_v0_5_0_fe_get_b32(unsigned char *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_get_b32(unsigned char *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif r[0] = (a->n[9] >> 14) & 0xff; r[1] = (a->n[9] >> 6) & 0xff; @@ -385,10 +386,10 @@ static void rustsecp256k1zkp_v0_5_0_fe_get_b32(unsigned char *r, const rustsecp2 r[31] = a->n[0] & 0xff; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_negate(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, int m) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_negate(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, int m) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= m); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif r->n[0] = 0x3FFFC2FUL * 2 * (m + 1) - a->n[0]; r->n[1] = 0x3FFFFBFUL * 2 * (m + 1) - a->n[1]; @@ -403,11 +404,11 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_negate(rustsecp256k1zkp_ #ifdef VERIFY r->magnitude = m + 1; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_int(rustsecp256k1zkp_v0_5_0_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_mul_int(rustsecp256k1zkp_v0_6_0_fe *r, int a) { r->n[0] *= a; r->n[1] *= a; r->n[2] *= a; @@ -421,13 +422,13 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_int(rustsecp256k1zkp #ifdef VERIFY r->magnitude *= a; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_add(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_add(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif r->n[0] += a->n[0]; r->n[1] += a->n[1]; @@ -442,15 +443,15 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_add(rustsecp256k1zkp_v0_ #ifdef VERIFY r->magnitude += a->magnitude; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } #if defined(USE_EXTERNAL_ASM) /* External assembler implementation */ -void rustsecp256k1zkp_v0_5_0_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b); -void rustsecp256k1zkp_v0_5_0_fe_sqr_inner(uint32_t *r, const uint32_t *a); +void rustsecp256k1zkp_v0_6_0_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b); +void rustsecp256k1zkp_v0_6_0_fe_sqr_inner(uint32_t *r, const uint32_t *a); #else @@ -460,7 +461,7 @@ void rustsecp256k1zkp_v0_5_0_fe_sqr_inner(uint32_t *r, const uint32_t *a); #define VERIFY_BITS(x, n) do { } while(0) #endif -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b) { uint64_t c, d; uint64_t u0, u1, u2, u3, u4, u5, u6, u7, u8; uint32_t t9, t1, t0, t2, t3, t4, t5, t6, t7; @@ -790,7 +791,7 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_inner(uint32_t *r, c /* [r9 r8 r7 r6 r5 r4 r3 r2 r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */ } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_sqr_inner(uint32_t *r, const uint32_t *a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_sqr_inner(uint32_t *r, const uint32_t *a) { uint64_t c, d; uint64_t u0, u1, u2, u3, u4, u5, u6, u7, u8; uint32_t t9, t0, t1, t2, t3, t4, t5, t6, t7; @@ -1065,37 +1066,37 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_sqr_inner(uint32_t *r, c } #endif -static void rustsecp256k1zkp_v0_5_0_fe_mul(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe * SECP256K1_RESTRICT b) { +static void rustsecp256k1zkp_v0_6_0_fe_mul(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe * SECP256K1_RESTRICT b) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); VERIFY_CHECK(b->magnitude <= 8); - rustsecp256k1zkp_v0_5_0_fe_verify(a); - rustsecp256k1zkp_v0_5_0_fe_verify(b); + rustsecp256k1zkp_v0_6_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(b); VERIFY_CHECK(r != b); VERIFY_CHECK(a != b); #endif - rustsecp256k1zkp_v0_5_0_fe_mul_inner(r->n, a->n, b->n); + rustsecp256k1zkp_v0_6_0_fe_mul_inner(r->n, a->n, b->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static void rustsecp256k1zkp_v0_5_0_fe_sqr(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_sqr(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif - rustsecp256k1zkp_v0_5_0_fe_sqr_inner(r->n, a->n); + rustsecp256k1zkp_v0_6_0_fe_sqr_inner(r->n, a->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_cmov(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_fe_cmov(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, int flag) { uint32_t mask0, mask1; VG_CHECK_VERIFY(r->n, sizeof(r->n)); mask0 = flag + ~((uint32_t)0); @@ -1118,7 +1119,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_cmov(rustsecp256k1zkp_v0 #endif } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_storage_cmov(rustsecp256k1zkp_v0_5_0_fe_storage *r, const rustsecp256k1zkp_v0_5_0_fe_storage *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_fe_storage_cmov(rustsecp256k1zkp_v0_6_0_fe_storage *r, const rustsecp256k1zkp_v0_6_0_fe_storage *a, int flag) { uint32_t mask0, mask1; VG_CHECK_VERIFY(r->n, sizeof(r->n)); mask0 = flag + ~((uint32_t)0); @@ -1133,7 +1134,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_storage_cmov(rustsecp256 r->n[7] = (r->n[7] & mask0) | (a->n[7] & mask1); } -static void rustsecp256k1zkp_v0_5_0_fe_to_storage(rustsecp256k1zkp_v0_5_0_fe_storage *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_to_storage(rustsecp256k1zkp_v0_6_0_fe_storage *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); #endif @@ -1147,7 +1148,7 @@ static void rustsecp256k1zkp_v0_5_0_fe_to_storage(rustsecp256k1zkp_v0_5_0_fe_sto r->n[7] = a->n[8] >> 16 | a->n[9] << 10; } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_from_storage(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe_storage *a) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_fe_from_storage(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe_storage *a) { r->n[0] = a->n[0] & 0x3FFFFFFUL; r->n[1] = a->n[0] >> 26 | ((a->n[1] << 6) & 0x3FFFFFFUL); r->n[2] = a->n[1] >> 20 | ((a->n[2] << 12) & 0x3FFFFFFUL); @@ -1164,4 +1165,92 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_from_storage(rustsecp256 #endif } +static void rustsecp256k1zkp_v0_6_0_fe_from_signed30(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_modinv32_signed30 *a) { + const uint32_t M26 = UINT32_MAX >> 6; + const uint32_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4], + a5 = a->v[5], a6 = a->v[6], a7 = a->v[7], a8 = a->v[8]; + + /* The output from rustsecp256k1zkp_v0_6_0_modinv32{_var} should be normalized to range [0,modulus), and + * have limbs in [0,2^30). The modulus is < 2^256, so the top limb must be below 2^(256-30*8). + */ + VERIFY_CHECK(a0 >> 30 == 0); + VERIFY_CHECK(a1 >> 30 == 0); + VERIFY_CHECK(a2 >> 30 == 0); + VERIFY_CHECK(a3 >> 30 == 0); + VERIFY_CHECK(a4 >> 30 == 0); + VERIFY_CHECK(a5 >> 30 == 0); + VERIFY_CHECK(a6 >> 30 == 0); + VERIFY_CHECK(a7 >> 30 == 0); + VERIFY_CHECK(a8 >> 16 == 0); + + r->n[0] = a0 & M26; + r->n[1] = (a0 >> 26 | a1 << 4) & M26; + r->n[2] = (a1 >> 22 | a2 << 8) & M26; + r->n[3] = (a2 >> 18 | a3 << 12) & M26; + r->n[4] = (a3 >> 14 | a4 << 16) & M26; + r->n[5] = (a4 >> 10 | a5 << 20) & M26; + r->n[6] = (a5 >> 6 | a6 << 24) & M26; + r->n[7] = (a6 >> 2 ) & M26; + r->n[8] = (a6 >> 28 | a7 << 2) & M26; + r->n[9] = (a7 >> 24 | a8 << 6); + +#ifdef VERIFY + r->magnitude = 1; + r->normalized = 1; + rustsecp256k1zkp_v0_6_0_fe_verify(r); +#endif +} + +static void rustsecp256k1zkp_v0_6_0_fe_to_signed30(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *r, const rustsecp256k1zkp_v0_6_0_fe *a) { + const uint32_t M30 = UINT32_MAX >> 2; + const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4], + a5 = a->n[5], a6 = a->n[6], a7 = a->n[7], a8 = a->n[8], a9 = a->n[9]; + +#ifdef VERIFY + VERIFY_CHECK(a->normalized); +#endif + + r->v[0] = (a0 | a1 << 26) & M30; + r->v[1] = (a1 >> 4 | a2 << 22) & M30; + r->v[2] = (a2 >> 8 | a3 << 18) & M30; + r->v[3] = (a3 >> 12 | a4 << 14) & M30; + r->v[4] = (a4 >> 16 | a5 << 10) & M30; + r->v[5] = (a5 >> 20 | a6 << 6) & M30; + r->v[6] = (a6 >> 24 | a7 << 2 + | a8 << 28) & M30; + r->v[7] = (a8 >> 2 | a9 << 24) & M30; + r->v[8] = a9 >> 6; +} + +static const rustsecp256k1zkp_v0_6_0_modinv32_modinfo rustsecp256k1zkp_v0_6_0_const_modinfo_fe = { + {{-0x3D1, -4, 0, 0, 0, 0, 0, 0, 65536}}, + 0x2DDACACFL +}; + +static void rustsecp256k1zkp_v0_6_0_fe_inv(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *x) { + rustsecp256k1zkp_v0_6_0_fe tmp; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 s; + + tmp = *x; + rustsecp256k1zkp_v0_6_0_fe_normalize(&tmp); + rustsecp256k1zkp_v0_6_0_fe_to_signed30(&s, &tmp); + rustsecp256k1zkp_v0_6_0_modinv32(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_fe); + rustsecp256k1zkp_v0_6_0_fe_from_signed30(r, &s); + + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(r) == rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&tmp)); +} + +static void rustsecp256k1zkp_v0_6_0_fe_inv_var(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *x) { + rustsecp256k1zkp_v0_6_0_fe tmp; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 s; + + tmp = *x; + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&tmp); + rustsecp256k1zkp_v0_6_0_fe_to_signed30(&s, &tmp); + rustsecp256k1zkp_v0_6_0_modinv32_var(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_fe); + rustsecp256k1zkp_v0_6_0_fe_from_signed30(r, &s); + + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(r) == rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&tmp)); +} + #endif /* SECP256K1_FIELD_REPR_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52.h b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52.h index 7a56f3e7..6bfa983a 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52.h @@ -18,7 +18,7 @@ typedef struct { int magnitude; int normalized; #endif -} rustsecp256k1zkp_v0_5_0_fe; +} rustsecp256k1zkp_v0_6_0_fe; /* Unpacks a constant into a overlapping multi-limbed FE element. */ #define SECP256K1_FE_CONST_INNER(d7, d6, d5, d4, d3, d2, d1, d0) { \ @@ -37,7 +37,7 @@ typedef struct { typedef struct { uint64_t n[4]; -} rustsecp256k1zkp_v0_5_0_fe_storage; +} rustsecp256k1zkp_v0_6_0_fe_storage; #define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{ \ (d0) | (((uint64_t)(d1)) << 32), \ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_asm_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_asm_impl.h index 31426eda..7bb3d785 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_asm_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_asm_impl.h @@ -14,7 +14,7 @@ #ifndef SECP256K1_FIELD_INNER5X52_IMPL_H #define SECP256K1_FIELD_INNER5X52_IMPL_H -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { /** * Registers: rdx:rax = multiplication accumulator * r9:r8 = c @@ -284,7 +284,7 @@ __asm__ __volatile__( ); } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_sqr_inner(uint64_t *r, const uint64_t *a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_sqr_inner(uint64_t *r, const uint64_t *a) { /** * Registers: rdx:rax = multiplication accumulator * r9:r8 = c diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_impl.h index 1a2808be..fb6f5161 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_impl.h @@ -13,6 +13,7 @@ #include "util.h" #include "field.h" +#include "modinv64_impl.h" #if defined(USE_ASM_X86_64) #include "field_5x52_asm_impl.h" @@ -29,7 +30,7 @@ */ #ifdef VERIFY -static void rustsecp256k1zkp_v0_5_0_fe_verify(const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_verify(const rustsecp256k1zkp_v0_6_0_fe *a) { const uint64_t *d = a->n; int m = a->normalized ? 1 : 2 * a->magnitude, r = 1; /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ @@ -50,7 +51,7 @@ static void rustsecp256k1zkp_v0_5_0_fe_verify(const rustsecp256k1zkp_v0_5_0_fe * } #endif -static void rustsecp256k1zkp_v0_5_0_fe_normalize(rustsecp256k1zkp_v0_5_0_fe *r) { +static void rustsecp256k1zkp_v0_6_0_fe_normalize(rustsecp256k1zkp_v0_6_0_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* Reduce t4 at the start so there will be at most a single carry from the first pass */ @@ -89,11 +90,11 @@ static void rustsecp256k1zkp_v0_5_0_fe_normalize(rustsecp256k1zkp_v0_5_0_fe *r) #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static void rustsecp256k1zkp_v0_5_0_fe_normalize_weak(rustsecp256k1zkp_v0_5_0_fe *r) { +static void rustsecp256k1zkp_v0_6_0_fe_normalize_weak(rustsecp256k1zkp_v0_6_0_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* Reduce t4 at the start so there will be at most a single carry from the first pass */ @@ -113,11 +114,11 @@ static void rustsecp256k1zkp_v0_5_0_fe_normalize_weak(rustsecp256k1zkp_v0_5_0_fe #ifdef VERIFY r->magnitude = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static void rustsecp256k1zkp_v0_5_0_fe_normalize_var(rustsecp256k1zkp_v0_5_0_fe *r) { +static void rustsecp256k1zkp_v0_6_0_fe_normalize_var(rustsecp256k1zkp_v0_6_0_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* Reduce t4 at the start so there will be at most a single carry from the first pass */ @@ -157,11 +158,11 @@ static void rustsecp256k1zkp_v0_5_0_fe_normalize_var(rustsecp256k1zkp_v0_5_0_fe #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(rustsecp256k1zkp_v0_5_0_fe *r) { +static int rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(const rustsecp256k1zkp_v0_6_0_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ @@ -184,7 +185,7 @@ static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(rustsecp256k1zkp_v0_5_0 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); } -static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(rustsecp256k1zkp_v0_5_0_fe *r) { +static int rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(const rustsecp256k1zkp_v0_6_0_fe *r) { uint64_t t0, t1, t2, t3, t4; uint64_t z0, z1; uint64_t x; @@ -225,34 +226,34 @@ static int rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(rustsecp256k1zkp_v0 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_set_int(rustsecp256k1zkp_v0_5_0_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_set_int(rustsecp256k1zkp_v0_6_0_fe *r, int a) { r->n[0] = a; r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0; #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_fe_is_zero(const rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_fe_is_zero(const rustsecp256k1zkp_v0_6_0_fe *a) { const uint64_t *t = a->n; #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_fe_is_odd(const rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_fe_is_odd(const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif return a->n[0] & 1; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_clear(rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_clear(rustsecp256k1zkp_v0_6_0_fe *a) { int i; #ifdef VERIFY a->magnitude = 0; @@ -263,13 +264,13 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_clear(rustsecp256k1zkp_v } } -static int rustsecp256k1zkp_v0_5_0_fe_cmp_var(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b) { +static int rustsecp256k1zkp_v0_6_0_fe_cmp_var(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b) { int i; #ifdef VERIFY VERIFY_CHECK(a->normalized); VERIFY_CHECK(b->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); - rustsecp256k1zkp_v0_5_0_fe_verify(b); + rustsecp256k1zkp_v0_6_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(b); #endif for (i = 4; i >= 0; i--) { if (a->n[i] > b->n[i]) { @@ -282,7 +283,7 @@ static int rustsecp256k1zkp_v0_5_0_fe_cmp_var(const rustsecp256k1zkp_v0_5_0_fe * return 0; } -static int rustsecp256k1zkp_v0_5_0_fe_set_b32(rustsecp256k1zkp_v0_5_0_fe *r, const unsigned char *a) { +static int rustsecp256k1zkp_v0_6_0_fe_set_b32(rustsecp256k1zkp_v0_6_0_fe *r, const unsigned char *a) { int ret; r->n[0] = (uint64_t)a[31] | ((uint64_t)a[30] << 8) @@ -323,7 +324,7 @@ static int rustsecp256k1zkp_v0_5_0_fe_set_b32(rustsecp256k1zkp_v0_5_0_fe *r, con r->magnitude = 1; if (ret) { r->normalized = 1; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); } else { r->normalized = 0; } @@ -332,10 +333,10 @@ static int rustsecp256k1zkp_v0_5_0_fe_set_b32(rustsecp256k1zkp_v0_5_0_fe *r, con } /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ -static void rustsecp256k1zkp_v0_5_0_fe_get_b32(unsigned char *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_get_b32(unsigned char *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif r[0] = (a->n[4] >> 40) & 0xFF; r[1] = (a->n[4] >> 32) & 0xFF; @@ -371,10 +372,10 @@ static void rustsecp256k1zkp_v0_5_0_fe_get_b32(unsigned char *r, const rustsecp2 r[31] = a->n[0] & 0xFF; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_negate(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, int m) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_negate(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, int m) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= m); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0]; r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1]; @@ -384,11 +385,11 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_negate(rustsecp256k1zkp_ #ifdef VERIFY r->magnitude = m + 1; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_int(rustsecp256k1zkp_v0_5_0_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_mul_int(rustsecp256k1zkp_v0_6_0_fe *r, int a) { r->n[0] *= a; r->n[1] *= a; r->n[2] *= a; @@ -397,13 +398,13 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_int(rustsecp256k1zkp #ifdef VERIFY r->magnitude *= a; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_add(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_add(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif r->n[0] += a->n[0]; r->n[1] += a->n[1]; @@ -413,41 +414,41 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_add(rustsecp256k1zkp_v0_ #ifdef VERIFY r->magnitude += a->magnitude; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static void rustsecp256k1zkp_v0_5_0_fe_mul(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe * SECP256K1_RESTRICT b) { +static void rustsecp256k1zkp_v0_6_0_fe_mul(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe * SECP256K1_RESTRICT b) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); VERIFY_CHECK(b->magnitude <= 8); - rustsecp256k1zkp_v0_5_0_fe_verify(a); - rustsecp256k1zkp_v0_5_0_fe_verify(b); + rustsecp256k1zkp_v0_6_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(b); VERIFY_CHECK(r != b); VERIFY_CHECK(a != b); #endif - rustsecp256k1zkp_v0_5_0_fe_mul_inner(r->n, a->n, b->n); + rustsecp256k1zkp_v0_6_0_fe_mul_inner(r->n, a->n, b->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static void rustsecp256k1zkp_v0_5_0_fe_sqr(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_sqr(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); - rustsecp256k1zkp_v0_5_0_fe_verify(a); + rustsecp256k1zkp_v0_6_0_fe_verify(a); #endif - rustsecp256k1zkp_v0_5_0_fe_sqr_inner(r->n, a->n); + rustsecp256k1zkp_v0_6_0_fe_sqr_inner(r->n, a->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1zkp_v0_5_0_fe_verify(r); + rustsecp256k1zkp_v0_6_0_fe_verify(r); #endif } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_cmov(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_fe_cmov(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a, int flag) { uint64_t mask0, mask1; VG_CHECK_VERIFY(r->n, sizeof(r->n)); mask0 = flag + ~((uint64_t)0); @@ -465,7 +466,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_cmov(rustsecp256k1zkp_v0 #endif } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_storage_cmov(rustsecp256k1zkp_v0_5_0_fe_storage *r, const rustsecp256k1zkp_v0_5_0_fe_storage *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_fe_storage_cmov(rustsecp256k1zkp_v0_6_0_fe_storage *r, const rustsecp256k1zkp_v0_6_0_fe_storage *a, int flag) { uint64_t mask0, mask1; VG_CHECK_VERIFY(r->n, sizeof(r->n)); mask0 = flag + ~((uint64_t)0); @@ -476,7 +477,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_storage_cmov(rustsecp256 r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); } -static void rustsecp256k1zkp_v0_5_0_fe_to_storage(rustsecp256k1zkp_v0_5_0_fe_storage *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +static void rustsecp256k1zkp_v0_6_0_fe_to_storage(rustsecp256k1zkp_v0_6_0_fe_storage *r, const rustsecp256k1zkp_v0_6_0_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); #endif @@ -486,7 +487,7 @@ static void rustsecp256k1zkp_v0_5_0_fe_to_storage(rustsecp256k1zkp_v0_5_0_fe_sto r->n[3] = a->n[3] >> 36 | a->n[4] << 16; } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_from_storage(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe_storage *a) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_fe_from_storage(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe_storage *a) { r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL; r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL); r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL); @@ -498,4 +499,80 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_fe_from_storage(rustsecp256 #endif } +static void rustsecp256k1zkp_v0_6_0_fe_from_signed62(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_modinv64_signed62 *a) { + const uint64_t M52 = UINT64_MAX >> 12; + const uint64_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4]; + + /* The output from rustsecp256k1zkp_v0_6_0_modinv64{_var} should be normalized to range [0,modulus), and + * have limbs in [0,2^62). The modulus is < 2^256, so the top limb must be below 2^(256-62*4). + */ + VERIFY_CHECK(a0 >> 62 == 0); + VERIFY_CHECK(a1 >> 62 == 0); + VERIFY_CHECK(a2 >> 62 == 0); + VERIFY_CHECK(a3 >> 62 == 0); + VERIFY_CHECK(a4 >> 8 == 0); + + r->n[0] = a0 & M52; + r->n[1] = (a0 >> 52 | a1 << 10) & M52; + r->n[2] = (a1 >> 42 | a2 << 20) & M52; + r->n[3] = (a2 >> 32 | a3 << 30) & M52; + r->n[4] = (a3 >> 22 | a4 << 40); + +#ifdef VERIFY + r->magnitude = 1; + r->normalized = 1; + rustsecp256k1zkp_v0_6_0_fe_verify(r); +#endif +} + +static void rustsecp256k1zkp_v0_6_0_fe_to_signed62(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *r, const rustsecp256k1zkp_v0_6_0_fe *a) { + const uint64_t M62 = UINT64_MAX >> 2; + const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4]; + +#ifdef VERIFY + VERIFY_CHECK(a->normalized); +#endif + + r->v[0] = (a0 | a1 << 52) & M62; + r->v[1] = (a1 >> 10 | a2 << 42) & M62; + r->v[2] = (a2 >> 20 | a3 << 32) & M62; + r->v[3] = (a3 >> 30 | a4 << 22) & M62; + r->v[4] = a4 >> 40; +} + +static const rustsecp256k1zkp_v0_6_0_modinv64_modinfo rustsecp256k1zkp_v0_6_0_const_modinfo_fe = { + {{-0x1000003D1LL, 0, 0, 0, 256}}, + 0x27C7F6E22DDACACFLL +}; + +static void rustsecp256k1zkp_v0_6_0_fe_inv(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *x) { + rustsecp256k1zkp_v0_6_0_fe tmp; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 s; + + tmp = *x; + rustsecp256k1zkp_v0_6_0_fe_normalize(&tmp); + rustsecp256k1zkp_v0_6_0_fe_to_signed62(&s, &tmp); + rustsecp256k1zkp_v0_6_0_modinv64(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_fe); + rustsecp256k1zkp_v0_6_0_fe_from_signed62(r, &s); + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(r) == rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&tmp)); +#endif +} + +static void rustsecp256k1zkp_v0_6_0_fe_inv_var(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *x) { + rustsecp256k1zkp_v0_6_0_fe tmp; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 s; + + tmp = *x; + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&tmp); + rustsecp256k1zkp_v0_6_0_fe_to_signed62(&s, &tmp); + rustsecp256k1zkp_v0_6_0_modinv64_var(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_fe); + rustsecp256k1zkp_v0_6_0_fe_from_signed62(r, &s); + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(r) == rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&tmp)); +#endif +} + #endif /* SECP256K1_FIELD_REPR_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_int128_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_int128_impl.h index 1992b646..5311cde7 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_int128_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field_5x52_int128_impl.h @@ -15,7 +15,7 @@ #define VERIFY_BITS(x, n) do { } while(0) #endif -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { uint128_t c, d; uint64_t t3, t4, tx, u0; uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4]; @@ -154,7 +154,7 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_mul_inner(uint64_t *r, c /* [r4 r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_fe_sqr_inner(uint64_t *r, const uint64_t *a) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_fe_sqr_inner(uint64_t *r, const uint64_t *a) { uint128_t c, d; uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4]; int64_t t3, t4, tx, u0; diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/field_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/field_impl.h index f3ee4b37..36fe0f61 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/field_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/field_impl.h @@ -12,7 +12,6 @@ #endif #include "util.h" -#include "num.h" #if defined(SECP256K1_WIDEMUL_INT128) #include "field_5x52_impl.h" @@ -22,21 +21,21 @@ #error "Please select wide multiplication implementation" #endif -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_fe_equal(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b) { - rustsecp256k1zkp_v0_5_0_fe na; - rustsecp256k1zkp_v0_5_0_fe_negate(&na, a, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&na, b); - return rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(&na); +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_fe_equal(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b) { + rustsecp256k1zkp_v0_6_0_fe na; + rustsecp256k1zkp_v0_6_0_fe_negate(&na, a, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&na, b); + return rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&na); } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_fe_equal_var(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b) { - rustsecp256k1zkp_v0_5_0_fe na; - rustsecp256k1zkp_v0_5_0_fe_negate(&na, a, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&na, b); - return rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&na); +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_fe_equal_var(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b) { + rustsecp256k1zkp_v0_6_0_fe na; + rustsecp256k1zkp_v0_6_0_fe_negate(&na, a, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&na, b); + return rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&na); } -static int rustsecp256k1zkp_v0_5_0_fe_sqrt(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a) { +static int rustsecp256k1zkp_v0_6_0_fe_sqrt(rustsecp256k1zkp_v0_6_0_fe *r, const rustsecp256k1zkp_v0_6_0_fe *a) { /** Given that p is congruent to 3 mod 4, we can compute the square root of * a mod p as the (p+1)/4'th power of a. * @@ -46,7 +45,7 @@ static int rustsecp256k1zkp_v0_5_0_fe_sqrt(rustsecp256k1zkp_v0_5_0_fe *r, const * Also because (p+1)/4 is an even number, the computed square root is * itself always a square (a ** ((p+1)/4) is the square of a ** ((p+1)/8)). */ - rustsecp256k1zkp_v0_5_0_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; + rustsecp256k1zkp_v0_6_0_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; int j; VERIFY_CHECK(r != a); @@ -56,238 +55,86 @@ static int rustsecp256k1zkp_v0_5_0_fe_sqrt(rustsecp256k1zkp_v0_5_0_fe *r, const * 1, [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223] */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&x2, a); - rustsecp256k1zkp_v0_5_0_fe_mul(&x2, &x2, a); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x2, a); + rustsecp256k1zkp_v0_6_0_fe_mul(&x2, &x2, a); - rustsecp256k1zkp_v0_5_0_fe_sqr(&x3, &x2); - rustsecp256k1zkp_v0_5_0_fe_mul(&x3, &x3, a); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x3, &x2); + rustsecp256k1zkp_v0_6_0_fe_mul(&x3, &x3, a); x6 = x3; for (j=0; j<3; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x6, &x6); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x6, &x6); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x6, &x6, &x3); + rustsecp256k1zkp_v0_6_0_fe_mul(&x6, &x6, &x3); x9 = x6; for (j=0; j<3; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x9, &x9); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x9, &x9); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x9, &x9, &x3); + rustsecp256k1zkp_v0_6_0_fe_mul(&x9, &x9, &x3); x11 = x9; for (j=0; j<2; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x11, &x11); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x11, &x11); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x11, &x11, &x2); + rustsecp256k1zkp_v0_6_0_fe_mul(&x11, &x11, &x2); x22 = x11; for (j=0; j<11; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x22, &x22); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x22, &x22); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x22, &x22, &x11); + rustsecp256k1zkp_v0_6_0_fe_mul(&x22, &x22, &x11); x44 = x22; for (j=0; j<22; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x44, &x44); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x44, &x44); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x44, &x44, &x22); + rustsecp256k1zkp_v0_6_0_fe_mul(&x44, &x44, &x22); x88 = x44; for (j=0; j<44; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x88, &x88); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x88, &x88); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x88, &x88, &x44); + rustsecp256k1zkp_v0_6_0_fe_mul(&x88, &x88, &x44); x176 = x88; for (j=0; j<88; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x176, &x176); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x176, &x176); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x176, &x176, &x88); + rustsecp256k1zkp_v0_6_0_fe_mul(&x176, &x176, &x88); x220 = x176; for (j=0; j<44; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x220, &x220); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x220, &x220); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x220, &x220, &x44); + rustsecp256k1zkp_v0_6_0_fe_mul(&x220, &x220, &x44); x223 = x220; for (j=0; j<3; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x223, &x223); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x223, &x223); } - rustsecp256k1zkp_v0_5_0_fe_mul(&x223, &x223, &x3); + rustsecp256k1zkp_v0_6_0_fe_mul(&x223, &x223, &x3); /* The final result is then assembled using a sliding window over the blocks. */ t1 = x223; for (j=0; j<23; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &t1); + rustsecp256k1zkp_v0_6_0_fe_sqr(&t1, &t1); } - rustsecp256k1zkp_v0_5_0_fe_mul(&t1, &t1, &x22); + rustsecp256k1zkp_v0_6_0_fe_mul(&t1, &t1, &x22); for (j=0; j<6; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &t1); + rustsecp256k1zkp_v0_6_0_fe_sqr(&t1, &t1); } - rustsecp256k1zkp_v0_5_0_fe_mul(&t1, &t1, &x2); - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &t1); - rustsecp256k1zkp_v0_5_0_fe_sqr(r, &t1); + rustsecp256k1zkp_v0_6_0_fe_mul(&t1, &t1, &x2); + rustsecp256k1zkp_v0_6_0_fe_sqr(&t1, &t1); + rustsecp256k1zkp_v0_6_0_fe_sqr(r, &t1); /* Check that a square root was actually calculated */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, r); - return rustsecp256k1zkp_v0_5_0_fe_equal(&t1, a); + rustsecp256k1zkp_v0_6_0_fe_sqr(&t1, r); + return rustsecp256k1zkp_v0_6_0_fe_equal(&t1, a); } -static void rustsecp256k1zkp_v0_5_0_fe_inv(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a) { - rustsecp256k1zkp_v0_5_0_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; - int j; - - /** The binary representation of (p - 2) has 5 blocks of 1s, with lengths in - * { 1, 2, 22, 223 }. Use an addition chain to calculate 2^n - 1 for each block: - * [1], [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223] - */ - - rustsecp256k1zkp_v0_5_0_fe_sqr(&x2, a); - rustsecp256k1zkp_v0_5_0_fe_mul(&x2, &x2, a); - - rustsecp256k1zkp_v0_5_0_fe_sqr(&x3, &x2); - rustsecp256k1zkp_v0_5_0_fe_mul(&x3, &x3, a); - - x6 = x3; - for (j=0; j<3; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x6, &x6); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x6, &x6, &x3); - - x9 = x6; - for (j=0; j<3; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x9, &x9); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x9, &x9, &x3); - - x11 = x9; - for (j=0; j<2; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x11, &x11); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x11, &x11, &x2); - - x22 = x11; - for (j=0; j<11; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x22, &x22); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x22, &x22, &x11); - - x44 = x22; - for (j=0; j<22; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x44, &x44); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x44, &x44, &x22); - - x88 = x44; - for (j=0; j<44; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x88, &x88); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x88, &x88, &x44); - - x176 = x88; - for (j=0; j<88; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x176, &x176); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x176, &x176, &x88); - - x220 = x176; - for (j=0; j<44; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x220, &x220); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x220, &x220, &x44); - - x223 = x220; - for (j=0; j<3; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&x223, &x223); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&x223, &x223, &x3); - - /* The final result is then assembled using a sliding window over the blocks. */ - - t1 = x223; - for (j=0; j<23; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &t1); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&t1, &t1, &x22); - for (j=0; j<5; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &t1); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&t1, &t1, a); - for (j=0; j<3; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &t1); - } - rustsecp256k1zkp_v0_5_0_fe_mul(&t1, &t1, &x2); - for (j=0; j<2; j++) { - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &t1); - } - rustsecp256k1zkp_v0_5_0_fe_mul(r, a, &t1); -} - -static void rustsecp256k1zkp_v0_5_0_fe_inv_var(rustsecp256k1zkp_v0_5_0_fe *r, const rustsecp256k1zkp_v0_5_0_fe *a) { -#if defined(USE_FIELD_INV_BUILTIN) - rustsecp256k1zkp_v0_5_0_fe_inv(r, a); -#elif defined(USE_FIELD_INV_NUM) - rustsecp256k1zkp_v0_5_0_num n, m; - static const rustsecp256k1zkp_v0_5_0_fe negone = SECP256K1_FE_CONST( - 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, - 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 0xFFFFFC2EUL - ); - /* secp256k1 field prime, value p defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ - static const unsigned char prime[32] = { - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F - }; - unsigned char b[32]; - int res; - rustsecp256k1zkp_v0_5_0_fe c = *a; - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&c); - rustsecp256k1zkp_v0_5_0_fe_get_b32(b, &c); - rustsecp256k1zkp_v0_5_0_num_set_bin(&n, b, 32); - rustsecp256k1zkp_v0_5_0_num_set_bin(&m, prime, 32); - rustsecp256k1zkp_v0_5_0_num_mod_inverse(&n, &n, &m); - rustsecp256k1zkp_v0_5_0_num_get_bin(b, 32, &n); - res = rustsecp256k1zkp_v0_5_0_fe_set_b32(r, b); - (void)res; - VERIFY_CHECK(res); - /* Verify the result is the (unique) valid inverse using non-GMP code. */ - rustsecp256k1zkp_v0_5_0_fe_mul(&c, &c, r); - rustsecp256k1zkp_v0_5_0_fe_add(&c, &negone); - CHECK(rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&c)); -#else -#error "Please select field inverse implementation" -#endif -} - -static int rustsecp256k1zkp_v0_5_0_fe_is_quad_var(const rustsecp256k1zkp_v0_5_0_fe *a) { -#ifndef USE_NUM_NONE - unsigned char b[32]; - rustsecp256k1zkp_v0_5_0_num n; - rustsecp256k1zkp_v0_5_0_num m; - /* secp256k1 field prime, value p defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ - static const unsigned char prime[32] = { - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F - }; - - rustsecp256k1zkp_v0_5_0_fe c = *a; - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&c); - rustsecp256k1zkp_v0_5_0_fe_get_b32(b, &c); - rustsecp256k1zkp_v0_5_0_num_set_bin(&n, b, 32); - rustsecp256k1zkp_v0_5_0_num_set_bin(&m, prime, 32); - return rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &m) >= 0; -#else - rustsecp256k1zkp_v0_5_0_fe r; - return rustsecp256k1zkp_v0_5_0_fe_sqrt(&r, a); -#endif -} - -static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_fe_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); +static const rustsecp256k1zkp_v0_6_0_fe rustsecp256k1zkp_v0_6_0_fe_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); #endif /* SECP256K1_FIELD_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/gen_context.c b/secp256k1-zkp-sys/depend/secp256k1/src/gen_context.c index d055aa0c..de910161 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/gen_context.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/gen_context.c @@ -9,10 +9,16 @@ #if !defined(ECMULT_GEN_PREC_BITS) #include "libsecp256k1-config.h" #endif -#define USE_BASIC_CONFIG 1 -#include "basic-config.h" -#include "include/secp256k1.h" +/* We can't require the precomputed tables when creating them. */ +#undef USE_ECMULT_STATIC_PRECOMPUTATION + +/* In principle we could use external ASM, but this yields only a minor speedup in + build time and it's very complicated. In particular when cross-compiling, we'd + need to build the external ASM for the build and the host machine. */ +#undef USE_EXTERNAL_ASM + +#include "../include/secp256k1.h" #include "assumptions.h" #include "util.h" #include "field_impl.h" @@ -26,13 +32,13 @@ static void default_error_callback_fn(const char* str, void* data) { abort(); } -static const rustsecp256k1zkp_v0_5_0_callback default_error_callback = { +static const rustsecp256k1zkp_v0_6_0_callback default_error_callback = { default_error_callback_fn, NULL }; int main(int argc, char **argv) { - rustsecp256k1zkp_v0_5_0_ecmult_gen_context ctx; + rustsecp256k1zkp_v0_6_0_ecmult_gen_context ctx; void *prealloc, *base; int inner; int outer; @@ -54,12 +60,12 @@ int main(int argc, char **argv) { fprintf(fp, "#if ECMULT_GEN_PREC_N != %d || ECMULT_GEN_PREC_G != %d\n", ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G); fprintf(fp, " #error configuration mismatch, invalid ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G. Try deleting ecmult_static_context.h before the build.\n"); fprintf(fp, "#endif\n"); - fprintf(fp, "static const rustsecp256k1zkp_v0_5_0_ge_storage rustsecp256k1zkp_v0_5_0_ecmult_static_context[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G] = {\n"); + fprintf(fp, "static const rustsecp256k1zkp_v0_6_0_ge_storage rustsecp256k1zkp_v0_6_0_ecmult_static_context[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G] = {\n"); base = checked_malloc(&default_error_callback, SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE); prealloc = base; - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_init(&ctx); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_build(&ctx, &prealloc); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_init(&ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_build(&ctx, &prealloc); for(outer = 0; outer != ECMULT_GEN_PREC_N; outer++) { fprintf(fp,"{\n"); for(inner = 0; inner != ECMULT_GEN_PREC_G; inner++) { @@ -77,7 +83,7 @@ int main(int argc, char **argv) { } } fprintf(fp,"};\n"); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_clear(&ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_clear(&ctx); free(base); fprintf(fp, "#undef SC\n"); diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/group.h b/secp256k1-zkp-sys/depend/secp256k1/src/group.h index 55465cd6..cc407fd9 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/group.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/group.h @@ -7,138 +7,128 @@ #ifndef SECP256K1_GROUP_H #define SECP256K1_GROUP_H -#include "num.h" #include "field.h" /** A group element of the secp256k1 curve, in affine coordinates. */ typedef struct { - rustsecp256k1zkp_v0_5_0_fe x; - rustsecp256k1zkp_v0_5_0_fe y; + rustsecp256k1zkp_v0_6_0_fe x; + rustsecp256k1zkp_v0_6_0_fe y; int infinity; /* whether this represents the point at infinity */ -} rustsecp256k1zkp_v0_5_0_ge; +} rustsecp256k1zkp_v0_6_0_ge; #define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), 0} #define SECP256K1_GE_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1} /** A group element of the secp256k1 curve, in jacobian coordinates. */ typedef struct { - rustsecp256k1zkp_v0_5_0_fe x; /* actual X: x/z^2 */ - rustsecp256k1zkp_v0_5_0_fe y; /* actual Y: y/z^3 */ - rustsecp256k1zkp_v0_5_0_fe z; + rustsecp256k1zkp_v0_6_0_fe x; /* actual X: x/z^2 */ + rustsecp256k1zkp_v0_6_0_fe y; /* actual Y: y/z^3 */ + rustsecp256k1zkp_v0_6_0_fe z; int infinity; /* whether this represents the point at infinity */ -} rustsecp256k1zkp_v0_5_0_gej; +} rustsecp256k1zkp_v0_6_0_gej; #define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 0} #define SECP256K1_GEJ_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1} typedef struct { - rustsecp256k1zkp_v0_5_0_fe_storage x; - rustsecp256k1zkp_v0_5_0_fe_storage y; -} rustsecp256k1zkp_v0_5_0_ge_storage; + rustsecp256k1zkp_v0_6_0_fe_storage x; + rustsecp256k1zkp_v0_6_0_fe_storage y; +} rustsecp256k1zkp_v0_6_0_ge_storage; #define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_STORAGE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_STORAGE_CONST((i),(j),(k),(l),(m),(n),(o),(p))} #define SECP256K1_GE_STORAGE_CONST_GET(t) SECP256K1_FE_STORAGE_CONST_GET(t.x), SECP256K1_FE_STORAGE_CONST_GET(t.y) /** Set a group element equal to the point with given X and Y coordinates */ -static void rustsecp256k1zkp_v0_5_0_ge_set_xy(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_fe *x, const rustsecp256k1zkp_v0_5_0_fe *y); - -/** Set a group element (affine) equal to the point with the given X coordinate - * and a Y coordinate that is a quadratic residue modulo p. The return value - * is true iff a coordinate with the given X coordinate exists. - */ -static int rustsecp256k1zkp_v0_5_0_ge_set_xquad(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_fe *x); +static void rustsecp256k1zkp_v0_6_0_ge_set_xy(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_fe *x, const rustsecp256k1zkp_v0_6_0_fe *y); /** Set a group element (affine) equal to the point with the given X coordinate, and given oddness * for Y. Return value indicates whether the result is valid. */ -static int rustsecp256k1zkp_v0_5_0_ge_set_xo_var(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_fe *x, int odd); +static int rustsecp256k1zkp_v0_6_0_ge_set_xo_var(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_fe *x, int odd); /** Check whether a group element is the point at infinity. */ -static int rustsecp256k1zkp_v0_5_0_ge_is_infinity(const rustsecp256k1zkp_v0_5_0_ge *a); +static int rustsecp256k1zkp_v0_6_0_ge_is_infinity(const rustsecp256k1zkp_v0_6_0_ge *a); /** Check whether a group element is valid (i.e., on the curve). */ -static int rustsecp256k1zkp_v0_5_0_ge_is_valid_var(const rustsecp256k1zkp_v0_5_0_ge *a); +static int rustsecp256k1zkp_v0_6_0_ge_is_valid_var(const rustsecp256k1zkp_v0_6_0_ge *a); /** Set r equal to the inverse of a (i.e., mirrored around the X axis) */ -static void rustsecp256k1zkp_v0_5_0_ge_neg(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_ge *a); +static void rustsecp256k1zkp_v0_6_0_ge_neg(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_ge *a); /** Set a group element equal to another which is given in jacobian coordinates. Constant time. */ -static void rustsecp256k1zkp_v0_5_0_ge_set_gej(rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_gej *a); +static void rustsecp256k1zkp_v0_6_0_ge_set_gej(rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_gej *a); /** Set a group element equal to another which is given in jacobian coordinates. */ -static void rustsecp256k1zkp_v0_5_0_ge_set_gej_var(rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_gej *a); +static void rustsecp256k1zkp_v0_6_0_ge_set_gej_var(rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_gej *a); /** Set a batch of group elements equal to the inputs given in jacobian coordinates */ -static void rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_gej *a, size_t len); +static void rustsecp256k1zkp_v0_6_0_ge_set_all_gej_var(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_gej *a, size_t len); /** Bring a batch inputs given in jacobian coordinates (with known z-ratios) to * the same global z "denominator". zr must contain the known z-ratios such * that mul(a[i].z, zr[i+1]) == a[i+1].z. zr[0] is ignored. The x and y * coordinates of the result are stored in r, the common z coordinate is * stored in globalz. */ -static void rustsecp256k1zkp_v0_5_0_ge_globalz_set_table_gej(size_t len, rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_fe *globalz, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_fe *zr); +static void rustsecp256k1zkp_v0_6_0_ge_globalz_set_table_gej(size_t len, rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_fe *globalz, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_fe *zr); /** Set a group element (affine) equal to the point at infinity. */ -static void rustsecp256k1zkp_v0_5_0_ge_set_infinity(rustsecp256k1zkp_v0_5_0_ge *r); +static void rustsecp256k1zkp_v0_6_0_ge_set_infinity(rustsecp256k1zkp_v0_6_0_ge *r); /** Set a group element (jacobian) equal to the point at infinity. */ -static void rustsecp256k1zkp_v0_5_0_gej_set_infinity(rustsecp256k1zkp_v0_5_0_gej *r); +static void rustsecp256k1zkp_v0_6_0_gej_set_infinity(rustsecp256k1zkp_v0_6_0_gej *r); /** Set a group element (jacobian) equal to another which is given in affine coordinates. */ -static void rustsecp256k1zkp_v0_5_0_gej_set_ge(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_ge *a); +static void rustsecp256k1zkp_v0_6_0_gej_set_ge(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_ge *a); /** Compare the X coordinate of a group element (jacobian). */ -static int rustsecp256k1zkp_v0_5_0_gej_eq_x_var(const rustsecp256k1zkp_v0_5_0_fe *x, const rustsecp256k1zkp_v0_5_0_gej *a); +static int rustsecp256k1zkp_v0_6_0_gej_eq_x_var(const rustsecp256k1zkp_v0_6_0_fe *x, const rustsecp256k1zkp_v0_6_0_gej *a); /** Set r equal to the inverse of a (i.e., mirrored around the X axis) */ -static void rustsecp256k1zkp_v0_5_0_gej_neg(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a); +static void rustsecp256k1zkp_v0_6_0_gej_neg(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a); /** Check whether a group element is the point at infinity. */ -static int rustsecp256k1zkp_v0_5_0_gej_is_infinity(const rustsecp256k1zkp_v0_5_0_gej *a); - -/** Check whether a group element's y coordinate is a quadratic residue. */ -static int rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(const rustsecp256k1zkp_v0_5_0_gej *a); +static int rustsecp256k1zkp_v0_6_0_gej_is_infinity(const rustsecp256k1zkp_v0_6_0_gej *a); /** Set r equal to the double of a. Constant time. */ -static void rustsecp256k1zkp_v0_5_0_gej_double(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a); +static void rustsecp256k1zkp_v0_6_0_gej_double(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a); /** Set r equal to the double of a. If rzr is not-NULL this sets *rzr such that r->z == a->z * *rzr (where infinity means an implicit z = 0). */ -static void rustsecp256k1zkp_v0_5_0_gej_double_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, rustsecp256k1zkp_v0_5_0_fe *rzr); +static void rustsecp256k1zkp_v0_6_0_gej_double_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, rustsecp256k1zkp_v0_6_0_fe *rzr); /** Set r equal to the sum of a and b. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case). */ -static void rustsecp256k1zkp_v0_5_0_gej_add_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_gej *b, rustsecp256k1zkp_v0_5_0_fe *rzr); +static void rustsecp256k1zkp_v0_6_0_gej_add_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_gej *b, rustsecp256k1zkp_v0_6_0_fe *rzr); /** Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity). */ -static void rustsecp256k1zkp_v0_5_0_gej_add_ge(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_ge *b); +static void rustsecp256k1zkp_v0_6_0_gej_add_ge(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_ge *b); /** Set r equal to the sum of a and b (with b given in affine coordinates). This is more efficient - than rustsecp256k1zkp_v0_5_0_gej_add_var. It is identical to rustsecp256k1zkp_v0_5_0_gej_add_ge but without constant-time + than rustsecp256k1zkp_v0_6_0_gej_add_var. It is identical to rustsecp256k1zkp_v0_6_0_gej_add_ge but without constant-time guarantee, and b is allowed to be infinity. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case). */ -static void rustsecp256k1zkp_v0_5_0_gej_add_ge_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_ge *b, rustsecp256k1zkp_v0_5_0_fe *rzr); +static void rustsecp256k1zkp_v0_6_0_gej_add_ge_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_ge *b, rustsecp256k1zkp_v0_6_0_fe *rzr); /** Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv). */ -static void rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_ge *b, const rustsecp256k1zkp_v0_5_0_fe *bzinv); +static void rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_ge *b, const rustsecp256k1zkp_v0_6_0_fe *bzinv); /** Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. */ -static void rustsecp256k1zkp_v0_5_0_ge_mul_lambda(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_ge *a); +static void rustsecp256k1zkp_v0_6_0_ge_mul_lambda(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_ge *a); -/** Clear a rustsecp256k1zkp_v0_5_0_gej to prevent leaking sensitive information. */ -static void rustsecp256k1zkp_v0_5_0_gej_clear(rustsecp256k1zkp_v0_5_0_gej *r); +/** Clear a rustsecp256k1zkp_v0_6_0_gej to prevent leaking sensitive information. */ +static void rustsecp256k1zkp_v0_6_0_gej_clear(rustsecp256k1zkp_v0_6_0_gej *r); -/** Clear a rustsecp256k1zkp_v0_5_0_ge to prevent leaking sensitive information. */ -static void rustsecp256k1zkp_v0_5_0_ge_clear(rustsecp256k1zkp_v0_5_0_ge *r); +/** Clear a rustsecp256k1zkp_v0_6_0_ge to prevent leaking sensitive information. */ +static void rustsecp256k1zkp_v0_6_0_ge_clear(rustsecp256k1zkp_v0_6_0_ge *r); /** Convert a group element to the storage type. */ -static void rustsecp256k1zkp_v0_5_0_ge_to_storage(rustsecp256k1zkp_v0_5_0_ge_storage *r, const rustsecp256k1zkp_v0_5_0_ge *a); +static void rustsecp256k1zkp_v0_6_0_ge_to_storage(rustsecp256k1zkp_v0_6_0_ge_storage *r, const rustsecp256k1zkp_v0_6_0_ge *a); /** Convert a group element back from the storage type. */ -static void rustsecp256k1zkp_v0_5_0_ge_from_storage(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_ge_storage *a); +static void rustsecp256k1zkp_v0_6_0_ge_from_storage(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_ge_storage *a); /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ -static void rustsecp256k1zkp_v0_5_0_ge_storage_cmov(rustsecp256k1zkp_v0_5_0_ge_storage *r, const rustsecp256k1zkp_v0_5_0_ge_storage *a, int flag); +static void rustsecp256k1zkp_v0_6_0_ge_storage_cmov(rustsecp256k1zkp_v0_6_0_ge_storage *r, const rustsecp256k1zkp_v0_6_0_ge_storage *a, int flag); /** Rescale a jacobian point by b which must be non-zero. Constant-time. */ -static void rustsecp256k1zkp_v0_5_0_gej_rescale(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_fe *b); +static void rustsecp256k1zkp_v0_6_0_gej_rescale(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_fe *b); /** Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve. * @@ -149,6 +139,6 @@ static void rustsecp256k1zkp_v0_5_0_gej_rescale(rustsecp256k1zkp_v0_5_0_gej *r, * (very) small subgroup, and that subgroup is what is used for all cryptographic operations. In that mode, this * function checks whether a point that is on the curve is in fact also in that subgroup. */ -static int rustsecp256k1zkp_v0_5_0_ge_is_in_correct_subgroup(const rustsecp256k1zkp_v0_5_0_ge* ge); +static int rustsecp256k1zkp_v0_6_0_ge_is_in_correct_subgroup(const rustsecp256k1zkp_v0_6_0_ge* ge); #endif /* SECP256K1_GROUP_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/group_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/group_impl.h index c80dcaa2..79724f60 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/group_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/group_impl.h @@ -7,7 +7,6 @@ #ifndef SECP256K1_GROUP_IMPL_H #define SECP256K1_GROUP_IMPL_H -#include "num.h" #include "field.h" #include "group.h" @@ -22,24 +21,24 @@ */ #if defined(EXHAUSTIVE_TEST_ORDER) # if EXHAUSTIVE_TEST_ORDER == 13 -static const rustsecp256k1zkp_v0_5_0_ge rustsecp256k1zkp_v0_5_0_ge_const_g = SECP256K1_GE_CONST( +static const rustsecp256k1zkp_v0_6_0_ge rustsecp256k1zkp_v0_6_0_ge_const_g = SECP256K1_GE_CONST( 0xc3459c3d, 0x35326167, 0xcd86cce8, 0x07a2417f, 0x5b8bd567, 0xde8538ee, 0x0d507b0c, 0xd128f5bb, 0x8e467fec, 0xcd30000a, 0x6cc1184e, 0x25d382c2, 0xa2f4494e, 0x2fbe9abc, 0x8b64abac, 0xd005fb24 ); -static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_fe_const_b = SECP256K1_FE_CONST( +static const rustsecp256k1zkp_v0_6_0_fe rustsecp256k1zkp_v0_6_0_fe_const_b = SECP256K1_FE_CONST( 0x3d3486b2, 0x159a9ca5, 0xc75638be, 0xb23a69bc, 0x946a45ab, 0x24801247, 0xb4ed2b8e, 0x26b6a417 ); # elif EXHAUSTIVE_TEST_ORDER == 199 -static const rustsecp256k1zkp_v0_5_0_ge rustsecp256k1zkp_v0_5_0_ge_const_g = SECP256K1_GE_CONST( +static const rustsecp256k1zkp_v0_6_0_ge rustsecp256k1zkp_v0_6_0_ge_const_g = SECP256K1_GE_CONST( 0x226e653f, 0xc8df7744, 0x9bacbf12, 0x7d1dcbf9, 0x87f05b2a, 0xe7edbd28, 0x1f564575, 0xc48dcf18, 0xa13872c2, 0xe933bb17, 0x5d9ffd5b, 0xb5b6e10c, 0x57fe3c00, 0xbaaaa15a, 0xe003ec3e, 0x9c269bae ); -static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_fe_const_b = SECP256K1_FE_CONST( +static const rustsecp256k1zkp_v0_6_0_fe rustsecp256k1zkp_v0_6_0_fe_const_b = SECP256K1_FE_CONST( 0x2cca28fa, 0xfc614b80, 0x2a3db42b, 0x00ba00b1, 0xbea8d943, 0xdace9ab2, 0x9536daea, 0x0074defb ); @@ -50,83 +49,84 @@ static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_fe_const_b = SEC /** Generator for secp256k1, value 'g' defined in * "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ -static const rustsecp256k1zkp_v0_5_0_ge rustsecp256k1zkp_v0_5_0_ge_const_g = SECP256K1_GE_CONST( +static const rustsecp256k1zkp_v0_6_0_ge rustsecp256k1zkp_v0_6_0_ge_const_g = SECP256K1_GE_CONST( 0x79BE667EUL, 0xF9DCBBACUL, 0x55A06295UL, 0xCE870B07UL, 0x029BFCDBUL, 0x2DCE28D9UL, 0x59F2815BUL, 0x16F81798UL, 0x483ADA77UL, 0x26A3C465UL, 0x5DA4FBFCUL, 0x0E1108A8UL, 0xFD17B448UL, 0xA6855419UL, 0x9C47D08FUL, 0xFB10D4B8UL ); -static const rustsecp256k1zkp_v0_5_0_fe rustsecp256k1zkp_v0_5_0_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7); +static const rustsecp256k1zkp_v0_6_0_fe rustsecp256k1zkp_v0_6_0_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7); #endif -static void rustsecp256k1zkp_v0_5_0_ge_set_gej_zinv(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_fe *zi) { - rustsecp256k1zkp_v0_5_0_fe zi2; - rustsecp256k1zkp_v0_5_0_fe zi3; - rustsecp256k1zkp_v0_5_0_fe_sqr(&zi2, zi); - rustsecp256k1zkp_v0_5_0_fe_mul(&zi3, &zi2, zi); - rustsecp256k1zkp_v0_5_0_fe_mul(&r->x, &a->x, &zi2); - rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &a->y, &zi3); +static void rustsecp256k1zkp_v0_6_0_ge_set_gej_zinv(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_fe *zi) { + rustsecp256k1zkp_v0_6_0_fe zi2; + rustsecp256k1zkp_v0_6_0_fe zi3; + rustsecp256k1zkp_v0_6_0_fe_sqr(&zi2, zi); + rustsecp256k1zkp_v0_6_0_fe_mul(&zi3, &zi2, zi); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->x, &a->x, &zi2); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &a->y, &zi3); r->infinity = a->infinity; } -static void rustsecp256k1zkp_v0_5_0_ge_set_xy(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_fe *x, const rustsecp256k1zkp_v0_5_0_fe *y) { +static void rustsecp256k1zkp_v0_6_0_ge_set_xy(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_fe *x, const rustsecp256k1zkp_v0_6_0_fe *y) { r->infinity = 0; r->x = *x; r->y = *y; } -static int rustsecp256k1zkp_v0_5_0_ge_is_infinity(const rustsecp256k1zkp_v0_5_0_ge *a) { +static int rustsecp256k1zkp_v0_6_0_ge_is_infinity(const rustsecp256k1zkp_v0_6_0_ge *a) { return a->infinity; } -static void rustsecp256k1zkp_v0_5_0_ge_neg(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_ge *a) { +static void rustsecp256k1zkp_v0_6_0_ge_neg(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_ge *a) { *r = *a; - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&r->y); - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &r->y, 1); + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&r->y); + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &r->y, 1); } -static void rustsecp256k1zkp_v0_5_0_ge_set_gej(rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_gej *a) { - rustsecp256k1zkp_v0_5_0_fe z2, z3; +static void rustsecp256k1zkp_v0_6_0_ge_set_gej(rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_gej *a) { + rustsecp256k1zkp_v0_6_0_fe z2, z3; r->infinity = a->infinity; - rustsecp256k1zkp_v0_5_0_fe_inv(&a->z, &a->z); - rustsecp256k1zkp_v0_5_0_fe_sqr(&z2, &a->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&z3, &a->z, &z2); - rustsecp256k1zkp_v0_5_0_fe_mul(&a->x, &a->x, &z2); - rustsecp256k1zkp_v0_5_0_fe_mul(&a->y, &a->y, &z3); - rustsecp256k1zkp_v0_5_0_fe_set_int(&a->z, 1); + rustsecp256k1zkp_v0_6_0_fe_inv(&a->z, &a->z); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z2, &a->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&z3, &a->z, &z2); + rustsecp256k1zkp_v0_6_0_fe_mul(&a->x, &a->x, &z2); + rustsecp256k1zkp_v0_6_0_fe_mul(&a->y, &a->y, &z3); + rustsecp256k1zkp_v0_6_0_fe_set_int(&a->z, 1); r->x = a->x; r->y = a->y; } -static void rustsecp256k1zkp_v0_5_0_ge_set_gej_var(rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_gej *a) { - rustsecp256k1zkp_v0_5_0_fe z2, z3; - r->infinity = a->infinity; +static void rustsecp256k1zkp_v0_6_0_ge_set_gej_var(rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_gej *a) { + rustsecp256k1zkp_v0_6_0_fe z2, z3; if (a->infinity) { + rustsecp256k1zkp_v0_6_0_ge_set_infinity(r); return; } - rustsecp256k1zkp_v0_5_0_fe_inv_var(&a->z, &a->z); - rustsecp256k1zkp_v0_5_0_fe_sqr(&z2, &a->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&z3, &a->z, &z2); - rustsecp256k1zkp_v0_5_0_fe_mul(&a->x, &a->x, &z2); - rustsecp256k1zkp_v0_5_0_fe_mul(&a->y, &a->y, &z3); - rustsecp256k1zkp_v0_5_0_fe_set_int(&a->z, 1); - r->x = a->x; - r->y = a->y; + rustsecp256k1zkp_v0_6_0_fe_inv_var(&a->z, &a->z); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z2, &a->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&z3, &a->z, &z2); + rustsecp256k1zkp_v0_6_0_fe_mul(&a->x, &a->x, &z2); + rustsecp256k1zkp_v0_6_0_fe_mul(&a->y, &a->y, &z3); + rustsecp256k1zkp_v0_6_0_fe_set_int(&a->z, 1); + rustsecp256k1zkp_v0_6_0_ge_set_xy(r, &a->x, &a->y); } -static void rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_gej *a, size_t len) { - rustsecp256k1zkp_v0_5_0_fe u; +static void rustsecp256k1zkp_v0_6_0_ge_set_all_gej_var(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_gej *a, size_t len) { + rustsecp256k1zkp_v0_6_0_fe u; size_t i; size_t last_i = SIZE_MAX; for (i = 0; i < len; i++) { - if (!a[i].infinity) { + if (a[i].infinity) { + rustsecp256k1zkp_v0_6_0_ge_set_infinity(&r[i]); + } else { /* Use destination's x coordinates as scratch space */ if (last_i == SIZE_MAX) { r[i].x = a[i].z; } else { - rustsecp256k1zkp_v0_5_0_fe_mul(&r[i].x, &r[last_i].x, &a[i].z); + rustsecp256k1zkp_v0_6_0_fe_mul(&r[i].x, &r[last_i].x, &a[i].z); } last_i = i; } @@ -134,14 +134,14 @@ static void rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(rustsecp256k1zkp_v0_5_0_g if (last_i == SIZE_MAX) { return; } - rustsecp256k1zkp_v0_5_0_fe_inv_var(&u, &r[last_i].x); + rustsecp256k1zkp_v0_6_0_fe_inv_var(&u, &r[last_i].x); i = last_i; while (i > 0) { i--; if (!a[i].infinity) { - rustsecp256k1zkp_v0_5_0_fe_mul(&r[last_i].x, &r[i].x, &u); - rustsecp256k1zkp_v0_5_0_fe_mul(&u, &u, &a[last_i].z); + rustsecp256k1zkp_v0_6_0_fe_mul(&r[last_i].x, &r[i].x, &u); + rustsecp256k1zkp_v0_6_0_fe_mul(&u, &u, &a[last_i].z); last_i = i; } } @@ -149,23 +149,22 @@ static void rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(rustsecp256k1zkp_v0_5_0_g r[last_i].x = u; for (i = 0; i < len; i++) { - r[i].infinity = a[i].infinity; if (!a[i].infinity) { - rustsecp256k1zkp_v0_5_0_ge_set_gej_zinv(&r[i], &a[i], &r[i].x); + rustsecp256k1zkp_v0_6_0_ge_set_gej_zinv(&r[i], &a[i], &r[i].x); } } } -static void rustsecp256k1zkp_v0_5_0_ge_globalz_set_table_gej(size_t len, rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_fe *globalz, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_fe *zr) { +static void rustsecp256k1zkp_v0_6_0_ge_globalz_set_table_gej(size_t len, rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_fe *globalz, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_fe *zr) { size_t i = len - 1; - rustsecp256k1zkp_v0_5_0_fe zs; + rustsecp256k1zkp_v0_6_0_fe zs; if (len > 0) { /* The z of the final point gives us the "global Z" for the table. */ r[i].x = a[i].x; r[i].y = a[i].y; /* Ensure all y values are in weak normal form for fast negation of points */ - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&r[i].y); + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&r[i].y); *globalz = a[i].z; r[i].infinity = 0; zs = zr[i]; @@ -173,104 +172,100 @@ static void rustsecp256k1zkp_v0_5_0_ge_globalz_set_table_gej(size_t len, rustsec /* Work our way backwards, using the z-ratios to scale the x/y values. */ while (i > 0) { if (i != len - 1) { - rustsecp256k1zkp_v0_5_0_fe_mul(&zs, &zs, &zr[i]); + rustsecp256k1zkp_v0_6_0_fe_mul(&zs, &zs, &zr[i]); } i--; - rustsecp256k1zkp_v0_5_0_ge_set_gej_zinv(&r[i], &a[i], &zs); + rustsecp256k1zkp_v0_6_0_ge_set_gej_zinv(&r[i], &a[i], &zs); } } } -static void rustsecp256k1zkp_v0_5_0_gej_set_infinity(rustsecp256k1zkp_v0_5_0_gej *r) { +static void rustsecp256k1zkp_v0_6_0_gej_set_infinity(rustsecp256k1zkp_v0_6_0_gej *r) { r->infinity = 1; - rustsecp256k1zkp_v0_5_0_fe_clear(&r->x); - rustsecp256k1zkp_v0_5_0_fe_clear(&r->y); - rustsecp256k1zkp_v0_5_0_fe_clear(&r->z); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->x); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->y); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->z); } -static void rustsecp256k1zkp_v0_5_0_ge_set_infinity(rustsecp256k1zkp_v0_5_0_ge *r) { +static void rustsecp256k1zkp_v0_6_0_ge_set_infinity(rustsecp256k1zkp_v0_6_0_ge *r) { r->infinity = 1; - rustsecp256k1zkp_v0_5_0_fe_clear(&r->x); - rustsecp256k1zkp_v0_5_0_fe_clear(&r->y); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->x); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->y); } -static void rustsecp256k1zkp_v0_5_0_gej_clear(rustsecp256k1zkp_v0_5_0_gej *r) { +static void rustsecp256k1zkp_v0_6_0_gej_clear(rustsecp256k1zkp_v0_6_0_gej *r) { r->infinity = 0; - rustsecp256k1zkp_v0_5_0_fe_clear(&r->x); - rustsecp256k1zkp_v0_5_0_fe_clear(&r->y); - rustsecp256k1zkp_v0_5_0_fe_clear(&r->z); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->x); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->y); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->z); } -static void rustsecp256k1zkp_v0_5_0_ge_clear(rustsecp256k1zkp_v0_5_0_ge *r) { +static void rustsecp256k1zkp_v0_6_0_ge_clear(rustsecp256k1zkp_v0_6_0_ge *r) { r->infinity = 0; - rustsecp256k1zkp_v0_5_0_fe_clear(&r->x); - rustsecp256k1zkp_v0_5_0_fe_clear(&r->y); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->x); + rustsecp256k1zkp_v0_6_0_fe_clear(&r->y); } -static int rustsecp256k1zkp_v0_5_0_ge_set_xquad(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_fe *x) { - rustsecp256k1zkp_v0_5_0_fe x2, x3; +static int rustsecp256k1zkp_v0_6_0_ge_set_xo_var(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_fe *x, int odd) { + rustsecp256k1zkp_v0_6_0_fe x2, x3; r->x = *x; - rustsecp256k1zkp_v0_5_0_fe_sqr(&x2, x); - rustsecp256k1zkp_v0_5_0_fe_mul(&x3, x, &x2); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x2, x); + rustsecp256k1zkp_v0_6_0_fe_mul(&x3, x, &x2); r->infinity = 0; - rustsecp256k1zkp_v0_5_0_fe_add(&x3, &rustsecp256k1zkp_v0_5_0_fe_const_b); - return rustsecp256k1zkp_v0_5_0_fe_sqrt(&r->y, &x3); -} - -static int rustsecp256k1zkp_v0_5_0_ge_set_xo_var(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_fe *x, int odd) { - if (!rustsecp256k1zkp_v0_5_0_ge_set_xquad(r, x)) { + rustsecp256k1zkp_v0_6_0_fe_add(&x3, &rustsecp256k1zkp_v0_6_0_fe_const_b); + if (!rustsecp256k1zkp_v0_6_0_fe_sqrt(&r->y, &x3)) { return 0; } - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&r->y); - if (rustsecp256k1zkp_v0_5_0_fe_is_odd(&r->y) != odd) { - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &r->y, 1); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&r->y); + if (rustsecp256k1zkp_v0_6_0_fe_is_odd(&r->y) != odd) { + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &r->y, 1); } return 1; } -static void rustsecp256k1zkp_v0_5_0_gej_set_ge(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_ge *a) { +static void rustsecp256k1zkp_v0_6_0_gej_set_ge(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_ge *a) { r->infinity = a->infinity; r->x = a->x; r->y = a->y; - rustsecp256k1zkp_v0_5_0_fe_set_int(&r->z, 1); + rustsecp256k1zkp_v0_6_0_fe_set_int(&r->z, 1); } -static int rustsecp256k1zkp_v0_5_0_gej_eq_x_var(const rustsecp256k1zkp_v0_5_0_fe *x, const rustsecp256k1zkp_v0_5_0_gej *a) { - rustsecp256k1zkp_v0_5_0_fe r, r2; +static int rustsecp256k1zkp_v0_6_0_gej_eq_x_var(const rustsecp256k1zkp_v0_6_0_fe *x, const rustsecp256k1zkp_v0_6_0_gej *a) { + rustsecp256k1zkp_v0_6_0_fe r, r2; VERIFY_CHECK(!a->infinity); - rustsecp256k1zkp_v0_5_0_fe_sqr(&r, &a->z); rustsecp256k1zkp_v0_5_0_fe_mul(&r, &r, x); - r2 = a->x; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&r2); - return rustsecp256k1zkp_v0_5_0_fe_equal_var(&r, &r2); + rustsecp256k1zkp_v0_6_0_fe_sqr(&r, &a->z); rustsecp256k1zkp_v0_6_0_fe_mul(&r, &r, x); + r2 = a->x; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&r2); + return rustsecp256k1zkp_v0_6_0_fe_equal_var(&r, &r2); } -static void rustsecp256k1zkp_v0_5_0_gej_neg(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a) { +static void rustsecp256k1zkp_v0_6_0_gej_neg(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a) { r->infinity = a->infinity; r->x = a->x; r->y = a->y; r->z = a->z; - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&r->y); - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &r->y, 1); + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&r->y); + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &r->y, 1); } -static int rustsecp256k1zkp_v0_5_0_gej_is_infinity(const rustsecp256k1zkp_v0_5_0_gej *a) { +static int rustsecp256k1zkp_v0_6_0_gej_is_infinity(const rustsecp256k1zkp_v0_6_0_gej *a) { return a->infinity; } -static int rustsecp256k1zkp_v0_5_0_ge_is_valid_var(const rustsecp256k1zkp_v0_5_0_ge *a) { - rustsecp256k1zkp_v0_5_0_fe y2, x3; +static int rustsecp256k1zkp_v0_6_0_ge_is_valid_var(const rustsecp256k1zkp_v0_6_0_ge *a) { + rustsecp256k1zkp_v0_6_0_fe y2, x3; if (a->infinity) { return 0; } /* y^2 = x^3 + 7 */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&y2, &a->y); - rustsecp256k1zkp_v0_5_0_fe_sqr(&x3, &a->x); rustsecp256k1zkp_v0_5_0_fe_mul(&x3, &x3, &a->x); - rustsecp256k1zkp_v0_5_0_fe_add(&x3, &rustsecp256k1zkp_v0_5_0_fe_const_b); - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&x3); - return rustsecp256k1zkp_v0_5_0_fe_equal_var(&y2, &x3); + rustsecp256k1zkp_v0_6_0_fe_sqr(&y2, &a->y); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x3, &a->x); rustsecp256k1zkp_v0_6_0_fe_mul(&x3, &x3, &a->x); + rustsecp256k1zkp_v0_6_0_fe_add(&x3, &rustsecp256k1zkp_v0_6_0_fe_const_b); + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&x3); + return rustsecp256k1zkp_v0_6_0_fe_equal_var(&y2, &x3); } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_gej_double(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_gej_double(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a) { /* Operations: 3 mul, 4 sqr, 0 normalize, 12 mul_int/add/negate. * * Note that there is an implementation described at @@ -278,33 +273,33 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_gej_double(rustsecp256k1zkp * which trades a multiply for a square, but in practice this is actually slower, * mainly because it requires more normalizations. */ - rustsecp256k1zkp_v0_5_0_fe t1,t2,t3,t4; + rustsecp256k1zkp_v0_6_0_fe t1,t2,t3,t4; r->infinity = a->infinity; - rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &a->z, &a->y); - rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->z, 2); /* Z' = 2*Y*Z (2) */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&t1, &a->x); - rustsecp256k1zkp_v0_5_0_fe_mul_int(&t1, 3); /* T1 = 3*X^2 (3) */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&t2, &t1); /* T2 = 9*X^4 (1) */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&t3, &a->y); - rustsecp256k1zkp_v0_5_0_fe_mul_int(&t3, 2); /* T3 = 2*Y^2 (2) */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&t4, &t3); - rustsecp256k1zkp_v0_5_0_fe_mul_int(&t4, 2); /* T4 = 8*Y^4 (2) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&t3, &t3, &a->x); /* T3 = 2*X*Y^2 (1) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &a->z, &a->y); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->z, 2); /* Z' = 2*Y*Z (2) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&t1, &a->x); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&t1, 3); /* T1 = 3*X^2 (3) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&t2, &t1); /* T2 = 9*X^4 (1) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&t3, &a->y); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&t3, 2); /* T3 = 2*Y^2 (2) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&t4, &t3); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&t4, 2); /* T4 = 8*Y^4 (2) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&t3, &t3, &a->x); /* T3 = 2*X*Y^2 (1) */ r->x = t3; - rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->x, 4); /* X' = 8*X*Y^2 (4) */ - rustsecp256k1zkp_v0_5_0_fe_negate(&r->x, &r->x, 4); /* X' = -8*X*Y^2 (5) */ - rustsecp256k1zkp_v0_5_0_fe_add(&r->x, &t2); /* X' = 9*X^4 - 8*X*Y^2 (6) */ - rustsecp256k1zkp_v0_5_0_fe_negate(&t2, &t2, 1); /* T2 = -9*X^4 (2) */ - rustsecp256k1zkp_v0_5_0_fe_mul_int(&t3, 6); /* T3 = 12*X*Y^2 (6) */ - rustsecp256k1zkp_v0_5_0_fe_add(&t3, &t2); /* T3 = 12*X*Y^2 - 9*X^4 (8) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &t1, &t3); /* Y' = 36*X^3*Y^2 - 27*X^6 (1) */ - rustsecp256k1zkp_v0_5_0_fe_negate(&t2, &t4, 2); /* T2 = -8*Y^4 (3) */ - rustsecp256k1zkp_v0_5_0_fe_add(&r->y, &t2); /* Y' = 36*X^3*Y^2 - 27*X^6 - 8*Y^4 (4) */ -} - -static void rustsecp256k1zkp_v0_5_0_gej_double_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, rustsecp256k1zkp_v0_5_0_fe *rzr) { + rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->x, 4); /* X' = 8*X*Y^2 (4) */ + rustsecp256k1zkp_v0_6_0_fe_negate(&r->x, &r->x, 4); /* X' = -8*X*Y^2 (5) */ + rustsecp256k1zkp_v0_6_0_fe_add(&r->x, &t2); /* X' = 9*X^4 - 8*X*Y^2 (6) */ + rustsecp256k1zkp_v0_6_0_fe_negate(&t2, &t2, 1); /* T2 = -9*X^4 (2) */ + rustsecp256k1zkp_v0_6_0_fe_mul_int(&t3, 6); /* T3 = 12*X*Y^2 (6) */ + rustsecp256k1zkp_v0_6_0_fe_add(&t3, &t2); /* T3 = 12*X*Y^2 - 9*X^4 (8) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &t1, &t3); /* Y' = 36*X^3*Y^2 - 27*X^6 (1) */ + rustsecp256k1zkp_v0_6_0_fe_negate(&t2, &t4, 2); /* T2 = -8*Y^4 (3) */ + rustsecp256k1zkp_v0_6_0_fe_add(&r->y, &t2); /* Y' = 36*X^3*Y^2 - 27*X^6 - 8*Y^4 (4) */ +} + +static void rustsecp256k1zkp_v0_6_0_gej_double_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, rustsecp256k1zkp_v0_6_0_fe *rzr) { /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity, * Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have * y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p. @@ -316,25 +311,25 @@ static void rustsecp256k1zkp_v0_5_0_gej_double_var(rustsecp256k1zkp_v0_5_0_gej * * point will be gibberish (z = 0 but infinity = 0). */ if (a->infinity) { - r->infinity = 1; + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); if (rzr != NULL) { - rustsecp256k1zkp_v0_5_0_fe_set_int(rzr, 1); + rustsecp256k1zkp_v0_6_0_fe_set_int(rzr, 1); } return; } if (rzr != NULL) { *rzr = a->y; - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(rzr); - rustsecp256k1zkp_v0_5_0_fe_mul_int(rzr, 2); + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(rzr); + rustsecp256k1zkp_v0_6_0_fe_mul_int(rzr, 2); } - rustsecp256k1zkp_v0_5_0_gej_double(r, a); + rustsecp256k1zkp_v0_6_0_gej_double(r, a); } -static void rustsecp256k1zkp_v0_5_0_gej_add_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_gej *b, rustsecp256k1zkp_v0_5_0_fe *rzr) { +static void rustsecp256k1zkp_v0_6_0_gej_add_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_gej *b, rustsecp256k1zkp_v0_6_0_fe *rzr) { /* Operations: 12 mul, 4 sqr, 2 normalize, 12 mul_int/add/negate */ - rustsecp256k1zkp_v0_5_0_fe z22, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; + rustsecp256k1zkp_v0_6_0_fe z22, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; if (a->infinity) { VERIFY_CHECK(rzr == NULL); @@ -344,112 +339,112 @@ static void rustsecp256k1zkp_v0_5_0_gej_add_var(rustsecp256k1zkp_v0_5_0_gej *r, if (b->infinity) { if (rzr != NULL) { - rustsecp256k1zkp_v0_5_0_fe_set_int(rzr, 1); + rustsecp256k1zkp_v0_6_0_fe_set_int(rzr, 1); } *r = *a; return; } r->infinity = 0; - rustsecp256k1zkp_v0_5_0_fe_sqr(&z22, &b->z); - rustsecp256k1zkp_v0_5_0_fe_sqr(&z12, &a->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&u1, &a->x, &z22); - rustsecp256k1zkp_v0_5_0_fe_mul(&u2, &b->x, &z12); - rustsecp256k1zkp_v0_5_0_fe_mul(&s1, &a->y, &z22); rustsecp256k1zkp_v0_5_0_fe_mul(&s1, &s1, &b->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &b->y, &z12); rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &s2, &a->z); - rustsecp256k1zkp_v0_5_0_fe_negate(&h, &u1, 1); rustsecp256k1zkp_v0_5_0_fe_add(&h, &u2); - rustsecp256k1zkp_v0_5_0_fe_negate(&i, &s1, 1); rustsecp256k1zkp_v0_5_0_fe_add(&i, &s2); - if (rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&h)) { - if (rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&i)) { - rustsecp256k1zkp_v0_5_0_gej_double_var(r, a, rzr); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z22, &b->z); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z12, &a->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&u1, &a->x, &z22); + rustsecp256k1zkp_v0_6_0_fe_mul(&u2, &b->x, &z12); + rustsecp256k1zkp_v0_6_0_fe_mul(&s1, &a->y, &z22); rustsecp256k1zkp_v0_6_0_fe_mul(&s1, &s1, &b->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &b->y, &z12); rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &s2, &a->z); + rustsecp256k1zkp_v0_6_0_fe_negate(&h, &u1, 1); rustsecp256k1zkp_v0_6_0_fe_add(&h, &u2); + rustsecp256k1zkp_v0_6_0_fe_negate(&i, &s1, 1); rustsecp256k1zkp_v0_6_0_fe_add(&i, &s2); + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&h)) { + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&i)) { + rustsecp256k1zkp_v0_6_0_gej_double_var(r, a, rzr); } else { if (rzr != NULL) { - rustsecp256k1zkp_v0_5_0_fe_set_int(rzr, 0); + rustsecp256k1zkp_v0_6_0_fe_set_int(rzr, 0); } - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); } return; } - rustsecp256k1zkp_v0_5_0_fe_sqr(&i2, &i); - rustsecp256k1zkp_v0_5_0_fe_sqr(&h2, &h); - rustsecp256k1zkp_v0_5_0_fe_mul(&h3, &h, &h2); - rustsecp256k1zkp_v0_5_0_fe_mul(&h, &h, &b->z); + rustsecp256k1zkp_v0_6_0_fe_sqr(&i2, &i); + rustsecp256k1zkp_v0_6_0_fe_sqr(&h2, &h); + rustsecp256k1zkp_v0_6_0_fe_mul(&h3, &h, &h2); + rustsecp256k1zkp_v0_6_0_fe_mul(&h, &h, &b->z); if (rzr != NULL) { *rzr = h; } - rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &a->z, &h); - rustsecp256k1zkp_v0_5_0_fe_mul(&t, &u1, &h2); - r->x = t; rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->x, 2); rustsecp256k1zkp_v0_5_0_fe_add(&r->x, &h3); rustsecp256k1zkp_v0_5_0_fe_negate(&r->x, &r->x, 3); rustsecp256k1zkp_v0_5_0_fe_add(&r->x, &i2); - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &r->x, 5); rustsecp256k1zkp_v0_5_0_fe_add(&r->y, &t); rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &r->y, &i); - rustsecp256k1zkp_v0_5_0_fe_mul(&h3, &h3, &s1); rustsecp256k1zkp_v0_5_0_fe_negate(&h3, &h3, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&r->y, &h3); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &a->z, &h); + rustsecp256k1zkp_v0_6_0_fe_mul(&t, &u1, &h2); + r->x = t; rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->x, 2); rustsecp256k1zkp_v0_6_0_fe_add(&r->x, &h3); rustsecp256k1zkp_v0_6_0_fe_negate(&r->x, &r->x, 3); rustsecp256k1zkp_v0_6_0_fe_add(&r->x, &i2); + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &r->x, 5); rustsecp256k1zkp_v0_6_0_fe_add(&r->y, &t); rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &r->y, &i); + rustsecp256k1zkp_v0_6_0_fe_mul(&h3, &h3, &s1); rustsecp256k1zkp_v0_6_0_fe_negate(&h3, &h3, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&r->y, &h3); } -static void rustsecp256k1zkp_v0_5_0_gej_add_ge_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_ge *b, rustsecp256k1zkp_v0_5_0_fe *rzr) { +static void rustsecp256k1zkp_v0_6_0_gej_add_ge_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_ge *b, rustsecp256k1zkp_v0_6_0_fe *rzr) { /* 8 mul, 3 sqr, 4 normalize, 12 mul_int/add/negate */ - rustsecp256k1zkp_v0_5_0_fe z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; + rustsecp256k1zkp_v0_6_0_fe z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; if (a->infinity) { VERIFY_CHECK(rzr == NULL); - rustsecp256k1zkp_v0_5_0_gej_set_ge(r, b); + rustsecp256k1zkp_v0_6_0_gej_set_ge(r, b); return; } if (b->infinity) { if (rzr != NULL) { - rustsecp256k1zkp_v0_5_0_fe_set_int(rzr, 1); + rustsecp256k1zkp_v0_6_0_fe_set_int(rzr, 1); } *r = *a; return; } r->infinity = 0; - rustsecp256k1zkp_v0_5_0_fe_sqr(&z12, &a->z); - u1 = a->x; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&u1); - rustsecp256k1zkp_v0_5_0_fe_mul(&u2, &b->x, &z12); - s1 = a->y; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&s1); - rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &b->y, &z12); rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &s2, &a->z); - rustsecp256k1zkp_v0_5_0_fe_negate(&h, &u1, 1); rustsecp256k1zkp_v0_5_0_fe_add(&h, &u2); - rustsecp256k1zkp_v0_5_0_fe_negate(&i, &s1, 1); rustsecp256k1zkp_v0_5_0_fe_add(&i, &s2); - if (rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&h)) { - if (rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&i)) { - rustsecp256k1zkp_v0_5_0_gej_double_var(r, a, rzr); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z12, &a->z); + u1 = a->x; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&u1); + rustsecp256k1zkp_v0_6_0_fe_mul(&u2, &b->x, &z12); + s1 = a->y; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&s1); + rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &b->y, &z12); rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &s2, &a->z); + rustsecp256k1zkp_v0_6_0_fe_negate(&h, &u1, 1); rustsecp256k1zkp_v0_6_0_fe_add(&h, &u2); + rustsecp256k1zkp_v0_6_0_fe_negate(&i, &s1, 1); rustsecp256k1zkp_v0_6_0_fe_add(&i, &s2); + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&h)) { + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&i)) { + rustsecp256k1zkp_v0_6_0_gej_double_var(r, a, rzr); } else { if (rzr != NULL) { - rustsecp256k1zkp_v0_5_0_fe_set_int(rzr, 0); + rustsecp256k1zkp_v0_6_0_fe_set_int(rzr, 0); } - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); } return; } - rustsecp256k1zkp_v0_5_0_fe_sqr(&i2, &i); - rustsecp256k1zkp_v0_5_0_fe_sqr(&h2, &h); - rustsecp256k1zkp_v0_5_0_fe_mul(&h3, &h, &h2); + rustsecp256k1zkp_v0_6_0_fe_sqr(&i2, &i); + rustsecp256k1zkp_v0_6_0_fe_sqr(&h2, &h); + rustsecp256k1zkp_v0_6_0_fe_mul(&h3, &h, &h2); if (rzr != NULL) { *rzr = h; } - rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &a->z, &h); - rustsecp256k1zkp_v0_5_0_fe_mul(&t, &u1, &h2); - r->x = t; rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->x, 2); rustsecp256k1zkp_v0_5_0_fe_add(&r->x, &h3); rustsecp256k1zkp_v0_5_0_fe_negate(&r->x, &r->x, 3); rustsecp256k1zkp_v0_5_0_fe_add(&r->x, &i2); - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &r->x, 5); rustsecp256k1zkp_v0_5_0_fe_add(&r->y, &t); rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &r->y, &i); - rustsecp256k1zkp_v0_5_0_fe_mul(&h3, &h3, &s1); rustsecp256k1zkp_v0_5_0_fe_negate(&h3, &h3, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&r->y, &h3); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &a->z, &h); + rustsecp256k1zkp_v0_6_0_fe_mul(&t, &u1, &h2); + r->x = t; rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->x, 2); rustsecp256k1zkp_v0_6_0_fe_add(&r->x, &h3); rustsecp256k1zkp_v0_6_0_fe_negate(&r->x, &r->x, 3); rustsecp256k1zkp_v0_6_0_fe_add(&r->x, &i2); + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &r->x, 5); rustsecp256k1zkp_v0_6_0_fe_add(&r->y, &t); rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &r->y, &i); + rustsecp256k1zkp_v0_6_0_fe_mul(&h3, &h3, &s1); rustsecp256k1zkp_v0_6_0_fe_negate(&h3, &h3, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&r->y, &h3); } -static void rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_ge *b, const rustsecp256k1zkp_v0_5_0_fe *bzinv) { +static void rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_ge *b, const rustsecp256k1zkp_v0_6_0_fe *bzinv) { /* 9 mul, 3 sqr, 4 normalize, 12 mul_int/add/negate */ - rustsecp256k1zkp_v0_5_0_fe az, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; + rustsecp256k1zkp_v0_6_0_fe az, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; if (b->infinity) { *r = *a; return; } if (a->infinity) { - rustsecp256k1zkp_v0_5_0_fe bzinv2, bzinv3; + rustsecp256k1zkp_v0_6_0_fe bzinv2, bzinv3; r->infinity = b->infinity; - rustsecp256k1zkp_v0_5_0_fe_sqr(&bzinv2, bzinv); - rustsecp256k1zkp_v0_5_0_fe_mul(&bzinv3, &bzinv2, bzinv); - rustsecp256k1zkp_v0_5_0_fe_mul(&r->x, &b->x, &bzinv2); - rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &b->y, &bzinv3); - rustsecp256k1zkp_v0_5_0_fe_set_int(&r->z, 1); + rustsecp256k1zkp_v0_6_0_fe_sqr(&bzinv2, bzinv); + rustsecp256k1zkp_v0_6_0_fe_mul(&bzinv3, &bzinv2, bzinv); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->x, &b->x, &bzinv2); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &b->y, &bzinv3); + rustsecp256k1zkp_v0_6_0_fe_set_int(&r->z, 1); return; } r->infinity = 0; @@ -462,40 +457,40 @@ static void rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(rustsecp256k1zkp_v0_5_0_gej * The variable az below holds the modified Z coordinate for a, which is used * for the computation of rx and ry, but not for rz. */ - rustsecp256k1zkp_v0_5_0_fe_mul(&az, &a->z, bzinv); - - rustsecp256k1zkp_v0_5_0_fe_sqr(&z12, &az); - u1 = a->x; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&u1); - rustsecp256k1zkp_v0_5_0_fe_mul(&u2, &b->x, &z12); - s1 = a->y; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&s1); - rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &b->y, &z12); rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &s2, &az); - rustsecp256k1zkp_v0_5_0_fe_negate(&h, &u1, 1); rustsecp256k1zkp_v0_5_0_fe_add(&h, &u2); - rustsecp256k1zkp_v0_5_0_fe_negate(&i, &s1, 1); rustsecp256k1zkp_v0_5_0_fe_add(&i, &s2); - if (rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&h)) { - if (rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero_var(&i)) { - rustsecp256k1zkp_v0_5_0_gej_double_var(r, a, NULL); + rustsecp256k1zkp_v0_6_0_fe_mul(&az, &a->z, bzinv); + + rustsecp256k1zkp_v0_6_0_fe_sqr(&z12, &az); + u1 = a->x; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&u1); + rustsecp256k1zkp_v0_6_0_fe_mul(&u2, &b->x, &z12); + s1 = a->y; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&s1); + rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &b->y, &z12); rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &s2, &az); + rustsecp256k1zkp_v0_6_0_fe_negate(&h, &u1, 1); rustsecp256k1zkp_v0_6_0_fe_add(&h, &u2); + rustsecp256k1zkp_v0_6_0_fe_negate(&i, &s1, 1); rustsecp256k1zkp_v0_6_0_fe_add(&i, &s2); + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&h)) { + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&i)) { + rustsecp256k1zkp_v0_6_0_gej_double_var(r, a, NULL); } else { - rustsecp256k1zkp_v0_5_0_gej_set_infinity(r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(r); } return; } - rustsecp256k1zkp_v0_5_0_fe_sqr(&i2, &i); - rustsecp256k1zkp_v0_5_0_fe_sqr(&h2, &h); - rustsecp256k1zkp_v0_5_0_fe_mul(&h3, &h, &h2); - r->z = a->z; rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &r->z, &h); - rustsecp256k1zkp_v0_5_0_fe_mul(&t, &u1, &h2); - r->x = t; rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->x, 2); rustsecp256k1zkp_v0_5_0_fe_add(&r->x, &h3); rustsecp256k1zkp_v0_5_0_fe_negate(&r->x, &r->x, 3); rustsecp256k1zkp_v0_5_0_fe_add(&r->x, &i2); - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &r->x, 5); rustsecp256k1zkp_v0_5_0_fe_add(&r->y, &t); rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &r->y, &i); - rustsecp256k1zkp_v0_5_0_fe_mul(&h3, &h3, &s1); rustsecp256k1zkp_v0_5_0_fe_negate(&h3, &h3, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&r->y, &h3); + rustsecp256k1zkp_v0_6_0_fe_sqr(&i2, &i); + rustsecp256k1zkp_v0_6_0_fe_sqr(&h2, &h); + rustsecp256k1zkp_v0_6_0_fe_mul(&h3, &h, &h2); + r->z = a->z; rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &r->z, &h); + rustsecp256k1zkp_v0_6_0_fe_mul(&t, &u1, &h2); + r->x = t; rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->x, 2); rustsecp256k1zkp_v0_6_0_fe_add(&r->x, &h3); rustsecp256k1zkp_v0_6_0_fe_negate(&r->x, &r->x, 3); rustsecp256k1zkp_v0_6_0_fe_add(&r->x, &i2); + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &r->x, 5); rustsecp256k1zkp_v0_6_0_fe_add(&r->y, &t); rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &r->y, &i); + rustsecp256k1zkp_v0_6_0_fe_mul(&h3, &h3, &s1); rustsecp256k1zkp_v0_6_0_fe_negate(&h3, &h3, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&r->y, &h3); } -static void rustsecp256k1zkp_v0_5_0_gej_add_ge(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_ge *b) { +static void rustsecp256k1zkp_v0_6_0_gej_add_ge(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_ge *b) { /* Operations: 7 mul, 5 sqr, 4 normalize, 21 mul_int/add/negate/cmov */ - static const rustsecp256k1zkp_v0_5_0_fe fe_1 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1zkp_v0_5_0_fe zz, u1, u2, s1, s2, t, tt, m, n, q, rr; - rustsecp256k1zkp_v0_5_0_fe m_alt, rr_alt; + static const rustsecp256k1zkp_v0_6_0_fe fe_1 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1zkp_v0_6_0_fe zz, u1, u2, s1, s2, t, tt, m, n, q, rr; + rustsecp256k1zkp_v0_6_0_fe m_alt, rr_alt; int infinity, degenerate; VERIFY_CHECK(!b->infinity); VERIFY_CHECK(a->infinity == 0 || a->infinity == 1); @@ -550,139 +545,125 @@ static void rustsecp256k1zkp_v0_5_0_gej_add_ge(rustsecp256k1zkp_v0_5_0_gej *r, c * so this covers everything. */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&zz, &a->z); /* z = Z1^2 */ - u1 = a->x; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&u1); /* u1 = U1 = X1*Z2^2 (1) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */ - s1 = a->y; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&s1); /* s1 = S1 = Y1*Z2^3 (1) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z1^2 (1) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */ - t = u1; rustsecp256k1zkp_v0_5_0_fe_add(&t, &u2); /* t = T = U1+U2 (2) */ - m = s1; rustsecp256k1zkp_v0_5_0_fe_add(&m, &s2); /* m = M = S1+S2 (2) */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&rr, &t); /* rr = T^2 (1) */ - rustsecp256k1zkp_v0_5_0_fe_negate(&m_alt, &u2, 1); /* Malt = -X2*Z1^2 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&tt, &u1, &m_alt); /* tt = -U1*U2 (2) */ - rustsecp256k1zkp_v0_5_0_fe_add(&rr, &tt); /* rr = R = T^2-U1*U2 (3) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&zz, &a->z); /* z = Z1^2 */ + u1 = a->x; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&u1); /* u1 = U1 = X1*Z2^2 (1) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */ + s1 = a->y; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&s1); /* s1 = S1 = Y1*Z2^3 (1) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z1^2 (1) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */ + t = u1; rustsecp256k1zkp_v0_6_0_fe_add(&t, &u2); /* t = T = U1+U2 (2) */ + m = s1; rustsecp256k1zkp_v0_6_0_fe_add(&m, &s2); /* m = M = S1+S2 (2) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&rr, &t); /* rr = T^2 (1) */ + rustsecp256k1zkp_v0_6_0_fe_negate(&m_alt, &u2, 1); /* Malt = -X2*Z1^2 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&tt, &u1, &m_alt); /* tt = -U1*U2 (2) */ + rustsecp256k1zkp_v0_6_0_fe_add(&rr, &tt); /* rr = R = T^2-U1*U2 (3) */ /** If lambda = R/M = 0/0 we have a problem (except in the "trivial" * case that Z = z1z2 = 0, and this is special-cased later on). */ - degenerate = rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(&m) & - rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(&rr); + degenerate = rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&m) & + rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&rr); /* This only occurs when y1 == -y2 and x1^3 == x2^3, but x1 != x2. * This means either x1 == beta*x2 or beta*x1 == x2, where beta is * a nontrivial cube root of one. In either case, an alternate * non-indeterminate expression for lambda is (y1 - y2)/(x1 - x2), * so we set R/M equal to this. */ rr_alt = s1; - rustsecp256k1zkp_v0_5_0_fe_mul_int(&rr_alt, 2); /* rr = Y1*Z2^3 - Y2*Z1^3 (2) */ - rustsecp256k1zkp_v0_5_0_fe_add(&m_alt, &u1); /* Malt = X1*Z2^2 - X2*Z1^2 */ + rustsecp256k1zkp_v0_6_0_fe_mul_int(&rr_alt, 2); /* rr = Y1*Z2^3 - Y2*Z1^3 (2) */ + rustsecp256k1zkp_v0_6_0_fe_add(&m_alt, &u1); /* Malt = X1*Z2^2 - X2*Z1^2 */ - rustsecp256k1zkp_v0_5_0_fe_cmov(&rr_alt, &rr, !degenerate); - rustsecp256k1zkp_v0_5_0_fe_cmov(&m_alt, &m, !degenerate); + rustsecp256k1zkp_v0_6_0_fe_cmov(&rr_alt, &rr, !degenerate); + rustsecp256k1zkp_v0_6_0_fe_cmov(&m_alt, &m, !degenerate); /* Now Ralt / Malt = lambda and is guaranteed not to be 0/0. * From here on out Ralt and Malt represent the numerator * and denominator of lambda; R and M represent the explicit * expressions x1^2 + x2^2 + x1x2 and y1 + y2. */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&n, &m_alt); /* n = Malt^2 (1) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&q, &n, &t); /* q = Q = T*Malt^2 (1) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&n, &m_alt); /* n = Malt^2 (1) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&q, &n, &t); /* q = Q = T*Malt^2 (1) */ /* These two lines use the observation that either M == Malt or M == 0, * so M^3 * Malt is either Malt^4 (which is computed by squaring), or * zero (which is "computed" by cmov). So the cost is one squaring * versus two multiplications. */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&n, &n); - rustsecp256k1zkp_v0_5_0_fe_cmov(&n, &m, degenerate); /* n = M^3 * Malt (2) */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Malt*Z (1) */ - infinity = rustsecp256k1zkp_v0_5_0_fe_normalizes_to_zero(&r->z) & ~a->infinity; - rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->z, 2); /* r->z = Z3 = 2*Malt*Z (2) */ - rustsecp256k1zkp_v0_5_0_fe_negate(&q, &q, 1); /* q = -Q (2) */ - rustsecp256k1zkp_v0_5_0_fe_add(&t, &q); /* t = Ralt^2-Q (3) */ - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&t); + rustsecp256k1zkp_v0_6_0_fe_sqr(&n, &n); + rustsecp256k1zkp_v0_6_0_fe_cmov(&n, &m, degenerate); /* n = M^3 * Malt (2) */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Malt*Z (1) */ + infinity = rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&r->z) & ~a->infinity; + rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->z, 2); /* r->z = Z3 = 2*Malt*Z (2) */ + rustsecp256k1zkp_v0_6_0_fe_negate(&q, &q, 1); /* q = -Q (2) */ + rustsecp256k1zkp_v0_6_0_fe_add(&t, &q); /* t = Ralt^2-Q (3) */ + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&t); r->x = t; /* r->x = Ralt^2-Q (1) */ - rustsecp256k1zkp_v0_5_0_fe_mul_int(&t, 2); /* t = 2*x3 (2) */ - rustsecp256k1zkp_v0_5_0_fe_add(&t, &q); /* t = 2*x3 - Q: (4) */ - rustsecp256k1zkp_v0_5_0_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*x3 - Q) (1) */ - rustsecp256k1zkp_v0_5_0_fe_add(&t, &n); /* t = Ralt*(2*x3 - Q) + M^3*Malt (3) */ - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &t, 3); /* r->y = Ralt*(Q - 2x3) - M^3*Malt (4) */ - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&r->y); - rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->x, 4); /* r->x = X3 = 4*(Ralt^2-Q) */ - rustsecp256k1zkp_v0_5_0_fe_mul_int(&r->y, 4); /* r->y = Y3 = 4*Ralt*(Q - 2x3) - 4*M^3*Malt (4) */ + rustsecp256k1zkp_v0_6_0_fe_mul_int(&t, 2); /* t = 2*x3 (2) */ + rustsecp256k1zkp_v0_6_0_fe_add(&t, &q); /* t = 2*x3 - Q: (4) */ + rustsecp256k1zkp_v0_6_0_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*x3 - Q) (1) */ + rustsecp256k1zkp_v0_6_0_fe_add(&t, &n); /* t = Ralt*(2*x3 - Q) + M^3*Malt (3) */ + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &t, 3); /* r->y = Ralt*(Q - 2x3) - M^3*Malt (4) */ + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&r->y); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->x, 4); /* r->x = X3 = 4*(Ralt^2-Q) */ + rustsecp256k1zkp_v0_6_0_fe_mul_int(&r->y, 4); /* r->y = Y3 = 4*Ralt*(Q - 2x3) - 4*M^3*Malt (4) */ /** In case a->infinity == 1, replace r with (b->x, b->y, 1). */ - rustsecp256k1zkp_v0_5_0_fe_cmov(&r->x, &b->x, a->infinity); - rustsecp256k1zkp_v0_5_0_fe_cmov(&r->y, &b->y, a->infinity); - rustsecp256k1zkp_v0_5_0_fe_cmov(&r->z, &fe_1, a->infinity); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r->x, &b->x, a->infinity); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r->y, &b->y, a->infinity); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r->z, &fe_1, a->infinity); r->infinity = infinity; } -static void rustsecp256k1zkp_v0_5_0_gej_rescale(rustsecp256k1zkp_v0_5_0_gej *r, const rustsecp256k1zkp_v0_5_0_fe *s) { +static void rustsecp256k1zkp_v0_6_0_gej_rescale(rustsecp256k1zkp_v0_6_0_gej *r, const rustsecp256k1zkp_v0_6_0_fe *s) { /* Operations: 4 mul, 1 sqr */ - rustsecp256k1zkp_v0_5_0_fe zz; - VERIFY_CHECK(!rustsecp256k1zkp_v0_5_0_fe_is_zero(s)); - rustsecp256k1zkp_v0_5_0_fe_sqr(&zz, s); - rustsecp256k1zkp_v0_5_0_fe_mul(&r->x, &r->x, &zz); /* r->x *= s^2 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &r->y, &zz); - rustsecp256k1zkp_v0_5_0_fe_mul(&r->y, &r->y, s); /* r->y *= s^3 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&r->z, &r->z, s); /* r->z *= s */ + rustsecp256k1zkp_v0_6_0_fe zz; + VERIFY_CHECK(!rustsecp256k1zkp_v0_6_0_fe_is_zero(s)); + rustsecp256k1zkp_v0_6_0_fe_sqr(&zz, s); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->x, &r->x, &zz); /* r->x *= s^2 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &r->y, &zz); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->y, &r->y, s); /* r->y *= s^3 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&r->z, &r->z, s); /* r->z *= s */ } -static void rustsecp256k1zkp_v0_5_0_ge_to_storage(rustsecp256k1zkp_v0_5_0_ge_storage *r, const rustsecp256k1zkp_v0_5_0_ge *a) { - rustsecp256k1zkp_v0_5_0_fe x, y; +static void rustsecp256k1zkp_v0_6_0_ge_to_storage(rustsecp256k1zkp_v0_6_0_ge_storage *r, const rustsecp256k1zkp_v0_6_0_ge *a) { + rustsecp256k1zkp_v0_6_0_fe x, y; VERIFY_CHECK(!a->infinity); x = a->x; - rustsecp256k1zkp_v0_5_0_fe_normalize(&x); + rustsecp256k1zkp_v0_6_0_fe_normalize(&x); y = a->y; - rustsecp256k1zkp_v0_5_0_fe_normalize(&y); - rustsecp256k1zkp_v0_5_0_fe_to_storage(&r->x, &x); - rustsecp256k1zkp_v0_5_0_fe_to_storage(&r->y, &y); + rustsecp256k1zkp_v0_6_0_fe_normalize(&y); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&r->x, &x); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&r->y, &y); } -static void rustsecp256k1zkp_v0_5_0_ge_from_storage(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_ge_storage *a) { - rustsecp256k1zkp_v0_5_0_fe_from_storage(&r->x, &a->x); - rustsecp256k1zkp_v0_5_0_fe_from_storage(&r->y, &a->y); +static void rustsecp256k1zkp_v0_6_0_ge_from_storage(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_ge_storage *a) { + rustsecp256k1zkp_v0_6_0_fe_from_storage(&r->x, &a->x); + rustsecp256k1zkp_v0_6_0_fe_from_storage(&r->y, &a->y); r->infinity = 0; } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_ge_storage_cmov(rustsecp256k1zkp_v0_5_0_ge_storage *r, const rustsecp256k1zkp_v0_5_0_ge_storage *a, int flag) { - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&r->x, &a->x, flag); - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&r->y, &a->y, flag); +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_ge_storage_cmov(rustsecp256k1zkp_v0_6_0_ge_storage *r, const rustsecp256k1zkp_v0_6_0_ge_storage *a, int flag) { + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&r->x, &a->x, flag); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&r->y, &a->y, flag); } -static void rustsecp256k1zkp_v0_5_0_ge_mul_lambda(rustsecp256k1zkp_v0_5_0_ge *r, const rustsecp256k1zkp_v0_5_0_ge *a) { - static const rustsecp256k1zkp_v0_5_0_fe beta = SECP256K1_FE_CONST( +static void rustsecp256k1zkp_v0_6_0_ge_mul_lambda(rustsecp256k1zkp_v0_6_0_ge *r, const rustsecp256k1zkp_v0_6_0_ge *a) { + static const rustsecp256k1zkp_v0_6_0_fe beta = SECP256K1_FE_CONST( 0x7ae96a2bul, 0x657c0710ul, 0x6e64479eul, 0xac3434e9ul, 0x9cf04975ul, 0x12f58995ul, 0xc1396c28ul, 0x719501eeul ); *r = *a; - rustsecp256k1zkp_v0_5_0_fe_mul(&r->x, &r->x, &beta); -} - -static int rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(const rustsecp256k1zkp_v0_5_0_gej *a) { - rustsecp256k1zkp_v0_5_0_fe yz; - - if (a->infinity) { - return 0; - } - - /* We rely on the fact that the Jacobi symbol of 1 / a->z^3 is the same as - * that of a->z. Thus a->y / a->z^3 is a quadratic residue iff a->y * a->z - is */ - rustsecp256k1zkp_v0_5_0_fe_mul(&yz, &a->y, &a->z); - return rustsecp256k1zkp_v0_5_0_fe_is_quad_var(&yz); + rustsecp256k1zkp_v0_6_0_fe_mul(&r->x, &r->x, &beta); } -static int rustsecp256k1zkp_v0_5_0_ge_is_in_correct_subgroup(const rustsecp256k1zkp_v0_5_0_ge* ge) { +static int rustsecp256k1zkp_v0_6_0_ge_is_in_correct_subgroup(const rustsecp256k1zkp_v0_6_0_ge* ge) { #ifdef EXHAUSTIVE_TEST_ORDER - rustsecp256k1zkp_v0_5_0_gej out; + rustsecp256k1zkp_v0_6_0_gej out; int i; /* A very simple EC multiplication ladder that avoids a dependency on ecmult. */ - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&out); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&out); for (i = 0; i < 32; ++i) { - rustsecp256k1zkp_v0_5_0_gej_double_var(&out, &out, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&out, &out, NULL); if ((((uint32_t)EXHAUSTIVE_TEST_ORDER) >> (31 - i)) & 1) { - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&out, &out, ge, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&out, &out, ge, NULL); } } - return rustsecp256k1zkp_v0_5_0_gej_is_infinity(&out); + return rustsecp256k1zkp_v0_6_0_gej_is_infinity(&out); #else (void)ge; /* The real secp256k1 group has cofactor 1, so the subgroup is the entire curve. */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/hash.h b/secp256k1-zkp-sys/depend/secp256k1/src/hash.h index 18dcc54e..2a6200cb 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/hash.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/hash.h @@ -14,28 +14,28 @@ typedef struct { uint32_t s[8]; uint32_t buf[16]; /* In big endian */ size_t bytes; -} rustsecp256k1zkp_v0_5_0_sha256; +} rustsecp256k1zkp_v0_6_0_sha256; -static void rustsecp256k1zkp_v0_5_0_sha256_initialize(rustsecp256k1zkp_v0_5_0_sha256 *hash); -static void rustsecp256k1zkp_v0_5_0_sha256_write(rustsecp256k1zkp_v0_5_0_sha256 *hash, const unsigned char *data, size_t size); -static void rustsecp256k1zkp_v0_5_0_sha256_finalize(rustsecp256k1zkp_v0_5_0_sha256 *hash, unsigned char *out32); +static void rustsecp256k1zkp_v0_6_0_sha256_initialize(rustsecp256k1zkp_v0_6_0_sha256 *hash); +static void rustsecp256k1zkp_v0_6_0_sha256_write(rustsecp256k1zkp_v0_6_0_sha256 *hash, const unsigned char *data, size_t size); +static void rustsecp256k1zkp_v0_6_0_sha256_finalize(rustsecp256k1zkp_v0_6_0_sha256 *hash, unsigned char *out32); typedef struct { - rustsecp256k1zkp_v0_5_0_sha256 inner, outer; -} rustsecp256k1zkp_v0_5_0_hmac_sha256; + rustsecp256k1zkp_v0_6_0_sha256 inner, outer; +} rustsecp256k1zkp_v0_6_0_hmac_sha256; -static void rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(rustsecp256k1zkp_v0_5_0_hmac_sha256 *hash, const unsigned char *key, size_t size); -static void rustsecp256k1zkp_v0_5_0_hmac_sha256_write(rustsecp256k1zkp_v0_5_0_hmac_sha256 *hash, const unsigned char *data, size_t size); -static void rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(rustsecp256k1zkp_v0_5_0_hmac_sha256 *hash, unsigned char *out32); +static void rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(rustsecp256k1zkp_v0_6_0_hmac_sha256 *hash, const unsigned char *key, size_t size); +static void rustsecp256k1zkp_v0_6_0_hmac_sha256_write(rustsecp256k1zkp_v0_6_0_hmac_sha256 *hash, const unsigned char *data, size_t size); +static void rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(rustsecp256k1zkp_v0_6_0_hmac_sha256 *hash, unsigned char *out32); typedef struct { unsigned char v[32]; unsigned char k[32]; int retry; -} rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256; +} rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256; -static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen); -static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen); -static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 *rng); +static void rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen); +static void rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen); +static void rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 *rng); #endif /* SECP256K1_HASH_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/hash_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/hash_impl.h index 45c2db54..f8b79813 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/hash_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/hash_impl.h @@ -34,7 +34,7 @@ #define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) #endif -static void rustsecp256k1zkp_v0_5_0_sha256_initialize(rustsecp256k1zkp_v0_5_0_sha256 *hash) { +static void rustsecp256k1zkp_v0_6_0_sha256_initialize(rustsecp256k1zkp_v0_6_0_sha256 *hash) { hash->s[0] = 0x6a09e667ul; hash->s[1] = 0xbb67ae85ul; hash->s[2] = 0x3c6ef372ul; @@ -47,7 +47,7 @@ static void rustsecp256k1zkp_v0_5_0_sha256_initialize(rustsecp256k1zkp_v0_5_0_sh } /** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */ -static void rustsecp256k1zkp_v0_5_0_sha256_transform(uint32_t* s, const uint32_t* chunk) { +static void rustsecp256k1zkp_v0_6_0_sha256_transform(uint32_t* s, const uint32_t* chunk) { uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7]; uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15; @@ -129,7 +129,7 @@ static void rustsecp256k1zkp_v0_5_0_sha256_transform(uint32_t* s, const uint32_t s[7] += h; } -static void rustsecp256k1zkp_v0_5_0_sha256_write(rustsecp256k1zkp_v0_5_0_sha256 *hash, const unsigned char *data, size_t len) { +static void rustsecp256k1zkp_v0_6_0_sha256_write(rustsecp256k1zkp_v0_6_0_sha256 *hash, const unsigned char *data, size_t len) { size_t bufsize = hash->bytes & 0x3F; hash->bytes += len; VERIFY_CHECK(hash->bytes >= len); @@ -139,7 +139,7 @@ static void rustsecp256k1zkp_v0_5_0_sha256_write(rustsecp256k1zkp_v0_5_0_sha256 memcpy(((unsigned char*)hash->buf) + bufsize, data, chunk_len); data += chunk_len; len -= chunk_len; - rustsecp256k1zkp_v0_5_0_sha256_transform(hash->s, hash->buf); + rustsecp256k1zkp_v0_6_0_sha256_transform(hash->s, hash->buf); bufsize = 0; } if (len) { @@ -148,15 +148,15 @@ static void rustsecp256k1zkp_v0_5_0_sha256_write(rustsecp256k1zkp_v0_5_0_sha256 } } -static void rustsecp256k1zkp_v0_5_0_sha256_finalize(rustsecp256k1zkp_v0_5_0_sha256 *hash, unsigned char *out32) { +static void rustsecp256k1zkp_v0_6_0_sha256_finalize(rustsecp256k1zkp_v0_6_0_sha256 *hash, unsigned char *out32) { static const unsigned char pad[64] = {0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; uint32_t sizedesc[2]; uint32_t out[8]; int i = 0; sizedesc[0] = BE32(hash->bytes >> 29); sizedesc[1] = BE32(hash->bytes << 3); - rustsecp256k1zkp_v0_5_0_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); - rustsecp256k1zkp_v0_5_0_sha256_write(hash, (const unsigned char*)sizedesc, 8); + rustsecp256k1zkp_v0_6_0_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); + rustsecp256k1zkp_v0_6_0_sha256_write(hash, (const unsigned char*)sizedesc, 8); for (i = 0; i < 8; i++) { out[i] = BE32(hash->s[i]); hash->s[i] = 0; @@ -166,60 +166,60 @@ static void rustsecp256k1zkp_v0_5_0_sha256_finalize(rustsecp256k1zkp_v0_5_0_sha2 /* Initializes a sha256 struct and writes the 64 byte string * SHA256(tag)||SHA256(tag) into it. */ -static void rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(rustsecp256k1zkp_v0_5_0_sha256 *hash, const unsigned char *tag, size_t taglen) { +static void rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(rustsecp256k1zkp_v0_6_0_sha256 *hash, const unsigned char *tag, size_t taglen) { unsigned char buf[32]; - rustsecp256k1zkp_v0_5_0_sha256_initialize(hash); - rustsecp256k1zkp_v0_5_0_sha256_write(hash, tag, taglen); - rustsecp256k1zkp_v0_5_0_sha256_finalize(hash, buf); + rustsecp256k1zkp_v0_6_0_sha256_initialize(hash); + rustsecp256k1zkp_v0_6_0_sha256_write(hash, tag, taglen); + rustsecp256k1zkp_v0_6_0_sha256_finalize(hash, buf); - rustsecp256k1zkp_v0_5_0_sha256_initialize(hash); - rustsecp256k1zkp_v0_5_0_sha256_write(hash, buf, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(hash, buf, 32); + rustsecp256k1zkp_v0_6_0_sha256_initialize(hash); + rustsecp256k1zkp_v0_6_0_sha256_write(hash, buf, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(hash, buf, 32); } -static void rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(rustsecp256k1zkp_v0_5_0_hmac_sha256 *hash, const unsigned char *key, size_t keylen) { +static void rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(rustsecp256k1zkp_v0_6_0_hmac_sha256 *hash, const unsigned char *key, size_t keylen) { size_t n; unsigned char rkey[64]; if (keylen <= sizeof(rkey)) { memcpy(rkey, key, keylen); memset(rkey + keylen, 0, sizeof(rkey) - keylen); } else { - rustsecp256k1zkp_v0_5_0_sha256 sha256; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256, key, keylen); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256, rkey); + rustsecp256k1zkp_v0_6_0_sha256 sha256; + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256, key, keylen); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256, rkey); memset(rkey + 32, 0, 32); } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&hash->outer); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&hash->outer); for (n = 0; n < sizeof(rkey); n++) { rkey[n] ^= 0x5c; } - rustsecp256k1zkp_v0_5_0_sha256_write(&hash->outer, rkey, sizeof(rkey)); + rustsecp256k1zkp_v0_6_0_sha256_write(&hash->outer, rkey, sizeof(rkey)); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&hash->inner); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&hash->inner); for (n = 0; n < sizeof(rkey); n++) { rkey[n] ^= 0x5c ^ 0x36; } - rustsecp256k1zkp_v0_5_0_sha256_write(&hash->inner, rkey, sizeof(rkey)); + rustsecp256k1zkp_v0_6_0_sha256_write(&hash->inner, rkey, sizeof(rkey)); memset(rkey, 0, sizeof(rkey)); } -static void rustsecp256k1zkp_v0_5_0_hmac_sha256_write(rustsecp256k1zkp_v0_5_0_hmac_sha256 *hash, const unsigned char *data, size_t size) { - rustsecp256k1zkp_v0_5_0_sha256_write(&hash->inner, data, size); +static void rustsecp256k1zkp_v0_6_0_hmac_sha256_write(rustsecp256k1zkp_v0_6_0_hmac_sha256 *hash, const unsigned char *data, size_t size) { + rustsecp256k1zkp_v0_6_0_sha256_write(&hash->inner, data, size); } -static void rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(rustsecp256k1zkp_v0_5_0_hmac_sha256 *hash, unsigned char *out32) { +static void rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(rustsecp256k1zkp_v0_6_0_hmac_sha256 *hash, unsigned char *out32) { unsigned char temp[32]; - rustsecp256k1zkp_v0_5_0_sha256_finalize(&hash->inner, temp); - rustsecp256k1zkp_v0_5_0_sha256_write(&hash->outer, temp, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&hash->inner, temp); + rustsecp256k1zkp_v0_6_0_sha256_write(&hash->outer, temp, 32); memset(temp, 0, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&hash->outer, out32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&hash->outer, out32); } -static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) { - rustsecp256k1zkp_v0_5_0_hmac_sha256 hmac; +static void rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) { + rustsecp256k1zkp_v0_6_0_hmac_sha256 hmac; static const unsigned char zero[1] = {0x00}; static const unsigned char one[1] = {0x01}; @@ -227,47 +227,47 @@ static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(rustsecp256k1 memset(rng->k, 0x00, 32); /* RFC6979 3.2.c. */ /* RFC6979 3.2.d. */ - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, zero, 1); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, key, keylen); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, rng->k); - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, zero, 1); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, key, keylen); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, rng->k); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, rng->v); /* RFC6979 3.2.f. */ - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, one, 1); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, key, keylen); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, rng->k); - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, one, 1); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, key, keylen); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, rng->k); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, rng->v); rng->retry = 0; } -static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen) { +static void rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen) { /* RFC6979 3.2.h. */ static const unsigned char zero[1] = {0x00}; if (rng->retry) { - rustsecp256k1zkp_v0_5_0_hmac_sha256 hmac; - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, zero, 1); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, rng->k); - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1zkp_v0_6_0_hmac_sha256 hmac; + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, zero, 1); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, rng->k); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, rng->v); } while (outlen > 0) { - rustsecp256k1zkp_v0_5_0_hmac_sha256 hmac; + rustsecp256k1zkp_v0_6_0_hmac_sha256 hmac; int now = outlen; - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hmac, rng->v); if (now > 32) { now = 32; } @@ -279,7 +279,7 @@ static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(rustsecp256k1zk rng->retry = 1; } -static void rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 *rng) { +static void rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 *rng) { memset(rng->k, 0, 32); memset(rng->v, 0, 32); rng->retry = 0; diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modinv32.h b/secp256k1-zkp-sys/depend/secp256k1/src/modinv32.h new file mode 100644 index 00000000..350c1315 --- /dev/null +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modinv32.h @@ -0,0 +1,42 @@ +/*********************************************************************** + * Copyright (c) 2020 Peter Dettman * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or https://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#ifndef SECP256K1_MODINV32_H +#define SECP256K1_MODINV32_H + +#if defined HAVE_CONFIG_H +#include "libsecp256k1-config.h" +#endif + +#include "util.h" + +/* A signed 30-bit limb representation of integers. + * + * Its value is sum(v[i] * 2^(30*i), i=0..8). */ +typedef struct { + int32_t v[9]; +} rustsecp256k1zkp_v0_6_0_modinv32_signed30; + +typedef struct { + /* The modulus in signed30 notation, must be odd and in [3, 2^256]. */ + rustsecp256k1zkp_v0_6_0_modinv32_signed30 modulus; + + /* modulus^{-1} mod 2^30 */ + uint32_t modulus_inv30; +} rustsecp256k1zkp_v0_6_0_modinv32_modinfo; + +/* Replace x with its modular inverse mod modinfo->modulus. x must be in range [0, modulus). + * If x is zero, the result will be zero as well. If not, the inverse must exist (i.e., the gcd of + * x and modulus must be 1). These rules are automatically satisfied if the modulus is prime. + * + * On output, all of x's limbs will be in [0, 2^30). + */ +static void rustsecp256k1zkp_v0_6_0_modinv32_var(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *x, const rustsecp256k1zkp_v0_6_0_modinv32_modinfo *modinfo); + +/* Same as rustsecp256k1zkp_v0_6_0_modinv32_var, but constant time in x (not in the modulus). */ +static void rustsecp256k1zkp_v0_6_0_modinv32(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *x, const rustsecp256k1zkp_v0_6_0_modinv32_modinfo *modinfo); + +#endif /* SECP256K1_MODINV32_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modinv32_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modinv32_impl.h new file mode 100644 index 00000000..39dbbde6 --- /dev/null +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modinv32_impl.h @@ -0,0 +1,587 @@ +/*********************************************************************** + * Copyright (c) 2020 Peter Dettman * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or https://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#ifndef SECP256K1_MODINV32_IMPL_H +#define SECP256K1_MODINV32_IMPL_H + +#include "modinv32.h" + +#include "util.h" + +#include + +/* This file implements modular inversion based on the paper "Fast constant-time gcd computation and + * modular inversion" by Daniel J. Bernstein and Bo-Yin Yang. + * + * For an explanation of the algorithm, see doc/safegcd_implementation.md. This file contains an + * implementation for N=30, using 30-bit signed limbs represented as int32_t. + */ + +#ifdef VERIFY +static const rustsecp256k1zkp_v0_6_0_modinv32_signed30 SECP256K1_SIGNED30_ONE = {{1}}; + +/* Compute a*factor and put it in r. All but the top limb in r will be in range [0,2^30). */ +static void rustsecp256k1zkp_v0_6_0_modinv32_mul_30(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *r, const rustsecp256k1zkp_v0_6_0_modinv32_signed30 *a, int alen, int32_t factor) { + const int32_t M30 = (int32_t)(UINT32_MAX >> 2); + int64_t c = 0; + int i; + for (i = 0; i < 8; ++i) { + if (i < alen) c += (int64_t)a->v[i] * factor; + r->v[i] = (int32_t)c & M30; c >>= 30; + } + if (8 < alen) c += (int64_t)a->v[8] * factor; + VERIFY_CHECK(c == (int32_t)c); + r->v[8] = (int32_t)c; +} + +/* Return -1 for ab*factor. A consists of alen limbs; b has 9. */ +static int rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(const rustsecp256k1zkp_v0_6_0_modinv32_signed30 *a, int alen, const rustsecp256k1zkp_v0_6_0_modinv32_signed30 *b, int32_t factor) { + int i; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 am, bm; + rustsecp256k1zkp_v0_6_0_modinv32_mul_30(&am, a, alen, 1); /* Normalize all but the top limb of a. */ + rustsecp256k1zkp_v0_6_0_modinv32_mul_30(&bm, b, 9, factor); + for (i = 0; i < 8; ++i) { + /* Verify that all but the top limb of a and b are normalized. */ + VERIFY_CHECK(am.v[i] >> 30 == 0); + VERIFY_CHECK(bm.v[i] >> 30 == 0); + } + for (i = 8; i >= 0; --i) { + if (am.v[i] < bm.v[i]) return -1; + if (am.v[i] > bm.v[i]) return 1; + } + return 0; +} +#endif + +/* Take as input a signed30 number in range (-2*modulus,modulus), and add a multiple of the modulus + * to it to bring it to range [0,modulus). If sign < 0, the input will also be negated in the + * process. The input must have limbs in range (-2^30,2^30). The output will have limbs in range + * [0,2^30). */ +static void rustsecp256k1zkp_v0_6_0_modinv32_normalize_30(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *r, int32_t sign, const rustsecp256k1zkp_v0_6_0_modinv32_modinfo *modinfo) { + const int32_t M30 = (int32_t)(UINT32_MAX >> 2); + int32_t r0 = r->v[0], r1 = r->v[1], r2 = r->v[2], r3 = r->v[3], r4 = r->v[4], + r5 = r->v[5], r6 = r->v[6], r7 = r->v[7], r8 = r->v[8]; + int32_t cond_add, cond_negate; + +#ifdef VERIFY + /* Verify that all limbs are in range (-2^30,2^30). */ + int i; + for (i = 0; i < 9; ++i) { + VERIFY_CHECK(r->v[i] >= -M30); + VERIFY_CHECK(r->v[i] <= M30); + } + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(r, 9, &modinfo->modulus, -2) > 0); /* r > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(r, 9, &modinfo->modulus, 1) < 0); /* r < modulus */ +#endif + + /* In a first step, add the modulus if the input is negative, and then negate if requested. + * This brings r from range (-2*modulus,modulus) to range (-modulus,modulus). As all input + * limbs are in range (-2^30,2^30), this cannot overflow an int32_t. Note that the right + * shifts below are signed sign-extending shifts (see assumptions.h for tests that that is + * indeed the behavior of the right shift operator). */ + cond_add = r8 >> 31; + r0 += modinfo->modulus.v[0] & cond_add; + r1 += modinfo->modulus.v[1] & cond_add; + r2 += modinfo->modulus.v[2] & cond_add; + r3 += modinfo->modulus.v[3] & cond_add; + r4 += modinfo->modulus.v[4] & cond_add; + r5 += modinfo->modulus.v[5] & cond_add; + r6 += modinfo->modulus.v[6] & cond_add; + r7 += modinfo->modulus.v[7] & cond_add; + r8 += modinfo->modulus.v[8] & cond_add; + cond_negate = sign >> 31; + r0 = (r0 ^ cond_negate) - cond_negate; + r1 = (r1 ^ cond_negate) - cond_negate; + r2 = (r2 ^ cond_negate) - cond_negate; + r3 = (r3 ^ cond_negate) - cond_negate; + r4 = (r4 ^ cond_negate) - cond_negate; + r5 = (r5 ^ cond_negate) - cond_negate; + r6 = (r6 ^ cond_negate) - cond_negate; + r7 = (r7 ^ cond_negate) - cond_negate; + r8 = (r8 ^ cond_negate) - cond_negate; + /* Propagate the top bits, to bring limbs back to range (-2^30,2^30). */ + r1 += r0 >> 30; r0 &= M30; + r2 += r1 >> 30; r1 &= M30; + r3 += r2 >> 30; r2 &= M30; + r4 += r3 >> 30; r3 &= M30; + r5 += r4 >> 30; r4 &= M30; + r6 += r5 >> 30; r5 &= M30; + r7 += r6 >> 30; r6 &= M30; + r8 += r7 >> 30; r7 &= M30; + + /* In a second step add the modulus again if the result is still negative, bringing r to range + * [0,modulus). */ + cond_add = r8 >> 31; + r0 += modinfo->modulus.v[0] & cond_add; + r1 += modinfo->modulus.v[1] & cond_add; + r2 += modinfo->modulus.v[2] & cond_add; + r3 += modinfo->modulus.v[3] & cond_add; + r4 += modinfo->modulus.v[4] & cond_add; + r5 += modinfo->modulus.v[5] & cond_add; + r6 += modinfo->modulus.v[6] & cond_add; + r7 += modinfo->modulus.v[7] & cond_add; + r8 += modinfo->modulus.v[8] & cond_add; + /* And propagate again. */ + r1 += r0 >> 30; r0 &= M30; + r2 += r1 >> 30; r1 &= M30; + r3 += r2 >> 30; r2 &= M30; + r4 += r3 >> 30; r3 &= M30; + r5 += r4 >> 30; r4 &= M30; + r6 += r5 >> 30; r5 &= M30; + r7 += r6 >> 30; r6 &= M30; + r8 += r7 >> 30; r7 &= M30; + + r->v[0] = r0; + r->v[1] = r1; + r->v[2] = r2; + r->v[3] = r3; + r->v[4] = r4; + r->v[5] = r5; + r->v[6] = r6; + r->v[7] = r7; + r->v[8] = r8; + +#ifdef VERIFY + VERIFY_CHECK(r0 >> 30 == 0); + VERIFY_CHECK(r1 >> 30 == 0); + VERIFY_CHECK(r2 >> 30 == 0); + VERIFY_CHECK(r3 >> 30 == 0); + VERIFY_CHECK(r4 >> 30 == 0); + VERIFY_CHECK(r5 >> 30 == 0); + VERIFY_CHECK(r6 >> 30 == 0); + VERIFY_CHECK(r7 >> 30 == 0); + VERIFY_CHECK(r8 >> 30 == 0); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(r, 9, &modinfo->modulus, 0) >= 0); /* r >= 0 */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(r, 9, &modinfo->modulus, 1) < 0); /* r < modulus */ +#endif +} + +/* Data type for transition matrices (see section 3 of explanation). + * + * t = [ u v ] + * [ q r ] + */ +typedef struct { + int32_t u, v, q, r; +} rustsecp256k1zkp_v0_6_0_modinv32_trans2x2; + +/* Compute the transition matrix and zeta for 30 divsteps. + * + * Input: zeta: initial zeta + * f0: bottom limb of initial f + * g0: bottom limb of initial g + * Output: t: transition matrix + * Return: final zeta + * + * Implements the divsteps_n_matrix function from the explanation. + */ +static int32_t rustsecp256k1zkp_v0_6_0_modinv32_divsteps_30(int32_t zeta, uint32_t f0, uint32_t g0, rustsecp256k1zkp_v0_6_0_modinv32_trans2x2 *t) { + /* u,v,q,r are the elements of the transformation matrix being built up, + * starting with the identity matrix. Semantically they are signed integers + * in range [-2^30,2^30], but here represented as unsigned mod 2^32. This + * permits left shifting (which is UB for negative numbers). The range + * being inside [-2^31,2^31) means that casting to signed works correctly. + */ + uint32_t u = 1, v = 0, q = 0, r = 1; + uint32_t c1, c2, f = f0, g = g0, x, y, z; + int i; + + for (i = 0; i < 30; ++i) { + VERIFY_CHECK((f & 1) == 1); /* f must always be odd */ + VERIFY_CHECK((u * f0 + v * g0) == f << i); + VERIFY_CHECK((q * f0 + r * g0) == g << i); + /* Compute conditional masks for (zeta < 0) and for (g & 1). */ + c1 = zeta >> 31; + c2 = -(g & 1); + /* Compute x,y,z, conditionally negated versions of f,u,v. */ + x = (f ^ c1) - c1; + y = (u ^ c1) - c1; + z = (v ^ c1) - c1; + /* Conditionally add x,y,z to g,q,r. */ + g += x & c2; + q += y & c2; + r += z & c2; + /* In what follows, c1 is a condition mask for (zeta < 0) and (g & 1). */ + c1 &= c2; + /* Conditionally change zeta into -zeta-2 or zeta-1. */ + zeta = (zeta ^ c1) - 1; + /* Conditionally add g,q,r to f,u,v. */ + f += g & c1; + u += q & c1; + v += r & c1; + /* Shifts */ + g >>= 1; + u <<= 1; + v <<= 1; + /* Bounds on zeta that follow from the bounds on iteration count (max 20*30 divsteps). */ + VERIFY_CHECK(zeta >= -601 && zeta <= 601); + } + /* Return data in t and return value. */ + t->u = (int32_t)u; + t->v = (int32_t)v; + t->q = (int32_t)q; + t->r = (int32_t)r; + /* The determinant of t must be a power of two. This guarantees that multiplication with t + * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which + * will be divided out again). As each divstep's individual matrix has determinant 2, the + * aggregate of 30 of them will have determinant 2^30. */ + VERIFY_CHECK((int64_t)t->u * t->r - (int64_t)t->v * t->q == ((int64_t)1) << 30); + return zeta; +} + +/* Compute the transition matrix and eta for 30 divsteps (variable time). + * + * Input: eta: initial eta + * f0: bottom limb of initial f + * g0: bottom limb of initial g + * Output: t: transition matrix + * Return: final eta + * + * Implements the divsteps_n_matrix_var function from the explanation. + */ +static int32_t rustsecp256k1zkp_v0_6_0_modinv32_divsteps_30_var(int32_t eta, uint32_t f0, uint32_t g0, rustsecp256k1zkp_v0_6_0_modinv32_trans2x2 *t) { + /* inv256[i] = -(2*i+1)^-1 (mod 256) */ + static const uint8_t inv256[128] = { + 0xFF, 0x55, 0x33, 0x49, 0xC7, 0x5D, 0x3B, 0x11, 0x0F, 0xE5, 0xC3, 0x59, + 0xD7, 0xED, 0xCB, 0x21, 0x1F, 0x75, 0x53, 0x69, 0xE7, 0x7D, 0x5B, 0x31, + 0x2F, 0x05, 0xE3, 0x79, 0xF7, 0x0D, 0xEB, 0x41, 0x3F, 0x95, 0x73, 0x89, + 0x07, 0x9D, 0x7B, 0x51, 0x4F, 0x25, 0x03, 0x99, 0x17, 0x2D, 0x0B, 0x61, + 0x5F, 0xB5, 0x93, 0xA9, 0x27, 0xBD, 0x9B, 0x71, 0x6F, 0x45, 0x23, 0xB9, + 0x37, 0x4D, 0x2B, 0x81, 0x7F, 0xD5, 0xB3, 0xC9, 0x47, 0xDD, 0xBB, 0x91, + 0x8F, 0x65, 0x43, 0xD9, 0x57, 0x6D, 0x4B, 0xA1, 0x9F, 0xF5, 0xD3, 0xE9, + 0x67, 0xFD, 0xDB, 0xB1, 0xAF, 0x85, 0x63, 0xF9, 0x77, 0x8D, 0x6B, 0xC1, + 0xBF, 0x15, 0xF3, 0x09, 0x87, 0x1D, 0xFB, 0xD1, 0xCF, 0xA5, 0x83, 0x19, + 0x97, 0xAD, 0x8B, 0xE1, 0xDF, 0x35, 0x13, 0x29, 0xA7, 0x3D, 0x1B, 0xF1, + 0xEF, 0xC5, 0xA3, 0x39, 0xB7, 0xCD, 0xAB, 0x01 + }; + + /* Transformation matrix; see comments in rustsecp256k1zkp_v0_6_0_modinv32_divsteps_30. */ + uint32_t u = 1, v = 0, q = 0, r = 1; + uint32_t f = f0, g = g0, m; + uint16_t w; + int i = 30, limit, zeros; + + for (;;) { + /* Use a sentinel bit to count zeros only up to i. */ + zeros = rustsecp256k1zkp_v0_6_0_ctz32_var(g | (UINT32_MAX << i)); + /* Perform zeros divsteps at once; they all just divide g by two. */ + g >>= zeros; + u <<= zeros; + v <<= zeros; + eta -= zeros; + i -= zeros; + /* We're done once we've done 30 divsteps. */ + if (i == 0) break; + VERIFY_CHECK((f & 1) == 1); + VERIFY_CHECK((g & 1) == 1); + VERIFY_CHECK((u * f0 + v * g0) == f << (30 - i)); + VERIFY_CHECK((q * f0 + r * g0) == g << (30 - i)); + /* Bounds on eta that follow from the bounds on iteration count (max 25*30 divsteps). */ + VERIFY_CHECK(eta >= -751 && eta <= 751); + /* If eta is negative, negate it and replace f,g with g,-f. */ + if (eta < 0) { + uint32_t tmp; + eta = -eta; + tmp = f; f = g; g = -tmp; + tmp = u; u = q; q = -tmp; + tmp = v; v = r; r = -tmp; + } + /* eta is now >= 0. In what follows we're going to cancel out the bottom bits of g. No more + * than i can be cancelled out (as we'd be done before that point), and no more than eta+1 + * can be done as its sign will flip once that happens. */ + limit = ((int)eta + 1) > i ? i : ((int)eta + 1); + /* m is a mask for the bottom min(limit, 8) bits (our table only supports 8 bits). */ + VERIFY_CHECK(limit > 0 && limit <= 30); + m = (UINT32_MAX >> (32 - limit)) & 255U; + /* Find what multiple of f must be added to g to cancel its bottom min(limit, 8) bits. */ + w = (g * inv256[(f >> 1) & 127]) & m; + /* Do so. */ + g += f * w; + q += u * w; + r += v * w; + VERIFY_CHECK((g & m) == 0); + } + /* Return data in t and return value. */ + t->u = (int32_t)u; + t->v = (int32_t)v; + t->q = (int32_t)q; + t->r = (int32_t)r; + /* The determinant of t must be a power of two. This guarantees that multiplication with t + * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which + * will be divided out again). As each divstep's individual matrix has determinant 2, the + * aggregate of 30 of them will have determinant 2^30. */ + VERIFY_CHECK((int64_t)t->u * t->r - (int64_t)t->v * t->q == ((int64_t)1) << 30); + return eta; +} + +/* Compute (t/2^30) * [d, e] mod modulus, where t is a transition matrix for 30 divsteps. + * + * On input and output, d and e are in range (-2*modulus,modulus). All output limbs will be in range + * (-2^30,2^30). + * + * This implements the update_de function from the explanation. + */ +static void rustsecp256k1zkp_v0_6_0_modinv32_update_de_30(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *d, rustsecp256k1zkp_v0_6_0_modinv32_signed30 *e, const rustsecp256k1zkp_v0_6_0_modinv32_trans2x2 *t, const rustsecp256k1zkp_v0_6_0_modinv32_modinfo* modinfo) { + const int32_t M30 = (int32_t)(UINT32_MAX >> 2); + const int32_t u = t->u, v = t->v, q = t->q, r = t->r; + int32_t di, ei, md, me, sd, se; + int64_t cd, ce; + int i; +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(d, 9, &modinfo->modulus, -2) > 0); /* d > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(d, 9, &modinfo->modulus, 1) < 0); /* d < modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(e, 9, &modinfo->modulus, -2) > 0); /* e > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(e, 9, &modinfo->modulus, 1) < 0); /* e < modulus */ + VERIFY_CHECK((labs(u) + labs(v)) >= 0); /* |u|+|v| doesn't overflow */ + VERIFY_CHECK((labs(q) + labs(r)) >= 0); /* |q|+|r| doesn't overflow */ + VERIFY_CHECK((labs(u) + labs(v)) <= M30 + 1); /* |u|+|v| <= 2^30 */ + VERIFY_CHECK((labs(q) + labs(r)) <= M30 + 1); /* |q|+|r| <= 2^30 */ +#endif + /* [md,me] start as zero; plus [u,q] if d is negative; plus [v,r] if e is negative. */ + sd = d->v[8] >> 31; + se = e->v[8] >> 31; + md = (u & sd) + (v & se); + me = (q & sd) + (r & se); + /* Begin computing t*[d,e]. */ + di = d->v[0]; + ei = e->v[0]; + cd = (int64_t)u * di + (int64_t)v * ei; + ce = (int64_t)q * di + (int64_t)r * ei; + /* Correct md,me so that t*[d,e]+modulus*[md,me] has 30 zero bottom bits. */ + md -= (modinfo->modulus_inv30 * (uint32_t)cd + md) & M30; + me -= (modinfo->modulus_inv30 * (uint32_t)ce + me) & M30; + /* Update the beginning of computation for t*[d,e]+modulus*[md,me] now md,me are known. */ + cd += (int64_t)modinfo->modulus.v[0] * md; + ce += (int64_t)modinfo->modulus.v[0] * me; + /* Verify that the low 30 bits of the computation are indeed zero, and then throw them away. */ + VERIFY_CHECK(((int32_t)cd & M30) == 0); cd >>= 30; + VERIFY_CHECK(((int32_t)ce & M30) == 0); ce >>= 30; + /* Now iteratively compute limb i=1..8 of t*[d,e]+modulus*[md,me], and store them in output + * limb i-1 (shifting down by 30 bits). */ + for (i = 1; i < 9; ++i) { + di = d->v[i]; + ei = e->v[i]; + cd += (int64_t)u * di + (int64_t)v * ei; + ce += (int64_t)q * di + (int64_t)r * ei; + cd += (int64_t)modinfo->modulus.v[i] * md; + ce += (int64_t)modinfo->modulus.v[i] * me; + d->v[i - 1] = (int32_t)cd & M30; cd >>= 30; + e->v[i - 1] = (int32_t)ce & M30; ce >>= 30; + } + /* What remains is limb 9 of t*[d,e]+modulus*[md,me]; store it as output limb 8. */ + d->v[8] = (int32_t)cd; + e->v[8] = (int32_t)ce; +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(d, 9, &modinfo->modulus, -2) > 0); /* d > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(d, 9, &modinfo->modulus, 1) < 0); /* d < modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(e, 9, &modinfo->modulus, -2) > 0); /* e > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(e, 9, &modinfo->modulus, 1) < 0); /* e < modulus */ +#endif +} + +/* Compute (t/2^30) * [f, g], where t is a transition matrix for 30 divsteps. + * + * This implements the update_fg function from the explanation. + */ +static void rustsecp256k1zkp_v0_6_0_modinv32_update_fg_30(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *f, rustsecp256k1zkp_v0_6_0_modinv32_signed30 *g, const rustsecp256k1zkp_v0_6_0_modinv32_trans2x2 *t) { + const int32_t M30 = (int32_t)(UINT32_MAX >> 2); + const int32_t u = t->u, v = t->v, q = t->q, r = t->r; + int32_t fi, gi; + int64_t cf, cg; + int i; + /* Start computing t*[f,g]. */ + fi = f->v[0]; + gi = g->v[0]; + cf = (int64_t)u * fi + (int64_t)v * gi; + cg = (int64_t)q * fi + (int64_t)r * gi; + /* Verify that the bottom 30 bits of the result are zero, and then throw them away. */ + VERIFY_CHECK(((int32_t)cf & M30) == 0); cf >>= 30; + VERIFY_CHECK(((int32_t)cg & M30) == 0); cg >>= 30; + /* Now iteratively compute limb i=1..8 of t*[f,g], and store them in output limb i-1 (shifting + * down by 30 bits). */ + for (i = 1; i < 9; ++i) { + fi = f->v[i]; + gi = g->v[i]; + cf += (int64_t)u * fi + (int64_t)v * gi; + cg += (int64_t)q * fi + (int64_t)r * gi; + f->v[i - 1] = (int32_t)cf & M30; cf >>= 30; + g->v[i - 1] = (int32_t)cg & M30; cg >>= 30; + } + /* What remains is limb 9 of t*[f,g]; store it as output limb 8. */ + f->v[8] = (int32_t)cf; + g->v[8] = (int32_t)cg; +} + +/* Compute (t/2^30) * [f, g], where t is a transition matrix for 30 divsteps. + * + * Version that operates on a variable number of limbs in f and g. + * + * This implements the update_fg function from the explanation in modinv64_impl.h. + */ +static void rustsecp256k1zkp_v0_6_0_modinv32_update_fg_30_var(int len, rustsecp256k1zkp_v0_6_0_modinv32_signed30 *f, rustsecp256k1zkp_v0_6_0_modinv32_signed30 *g, const rustsecp256k1zkp_v0_6_0_modinv32_trans2x2 *t) { + const int32_t M30 = (int32_t)(UINT32_MAX >> 2); + const int32_t u = t->u, v = t->v, q = t->q, r = t->r; + int32_t fi, gi; + int64_t cf, cg; + int i; + VERIFY_CHECK(len > 0); + /* Start computing t*[f,g]. */ + fi = f->v[0]; + gi = g->v[0]; + cf = (int64_t)u * fi + (int64_t)v * gi; + cg = (int64_t)q * fi + (int64_t)r * gi; + /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */ + VERIFY_CHECK(((int32_t)cf & M30) == 0); cf >>= 30; + VERIFY_CHECK(((int32_t)cg & M30) == 0); cg >>= 30; + /* Now iteratively compute limb i=1..len of t*[f,g], and store them in output limb i-1 (shifting + * down by 30 bits). */ + for (i = 1; i < len; ++i) { + fi = f->v[i]; + gi = g->v[i]; + cf += (int64_t)u * fi + (int64_t)v * gi; + cg += (int64_t)q * fi + (int64_t)r * gi; + f->v[i - 1] = (int32_t)cf & M30; cf >>= 30; + g->v[i - 1] = (int32_t)cg & M30; cg >>= 30; + } + /* What remains is limb (len) of t*[f,g]; store it as output limb (len-1). */ + f->v[len - 1] = (int32_t)cf; + g->v[len - 1] = (int32_t)cg; +} + +/* Compute the inverse of x modulo modinfo->modulus, and replace x with it (constant time in x). */ +static void rustsecp256k1zkp_v0_6_0_modinv32(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *x, const rustsecp256k1zkp_v0_6_0_modinv32_modinfo *modinfo) { + /* Start with d=0, e=1, f=modulus, g=x, zeta=-1. */ + rustsecp256k1zkp_v0_6_0_modinv32_signed30 d = {{0}}; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 e = {{1}}; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 f = modinfo->modulus; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 g = *x; + int i; + int32_t zeta = -1; /* zeta = -(delta+1/2); delta is initially 1/2. */ + + /* Do 20 iterations of 30 divsteps each = 600 divsteps. 590 suffices for 256-bit inputs. */ + for (i = 0; i < 20; ++i) { + /* Compute transition matrix and new zeta after 30 divsteps. */ + rustsecp256k1zkp_v0_6_0_modinv32_trans2x2 t; + zeta = rustsecp256k1zkp_v0_6_0_modinv32_divsteps_30(zeta, f.v[0], g.v[0], &t); + /* Update d,e using that transition matrix. */ + rustsecp256k1zkp_v0_6_0_modinv32_update_de_30(&d, &e, &t, modinfo); + /* Update f,g using that transition matrix. */ +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, 9, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, 9, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + rustsecp256k1zkp_v0_6_0_modinv32_update_fg_30(&f, &g, &t); +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, 9, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, 9, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + } + + /* At this point sufficient iterations have been performed that g must have reached 0 + * and (if g was not originally 0) f must now equal +/- GCD of the initial f, g + * values i.e. +/- 1, and d now contains +/- the modular inverse. */ +#ifdef VERIFY + /* g == 0 */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, 9, &SECP256K1_SIGNED30_ONE, 0) == 0); + /* |f| == 1, or (x == 0 and d == 0 and |f|=modulus) */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &SECP256K1_SIGNED30_ONE, -1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &SECP256K1_SIGNED30_ONE, 1) == 0 || + (rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(x, 9, &SECP256K1_SIGNED30_ONE, 0) == 0 && + rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&d, 9, &SECP256K1_SIGNED30_ONE, 0) == 0 && + (rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &modinfo->modulus, 1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, 9, &modinfo->modulus, -1) == 0))); +#endif + + /* Optionally negate d, normalize to [0,modulus), and return it. */ + rustsecp256k1zkp_v0_6_0_modinv32_normalize_30(&d, f.v[8], modinfo); + *x = d; +} + +/* Compute the inverse of x modulo modinfo->modulus, and replace x with it (variable time). */ +static void rustsecp256k1zkp_v0_6_0_modinv32_var(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *x, const rustsecp256k1zkp_v0_6_0_modinv32_modinfo *modinfo) { + /* Start with d=0, e=1, f=modulus, g=x, eta=-1. */ + rustsecp256k1zkp_v0_6_0_modinv32_signed30 d = {{0, 0, 0, 0, 0, 0, 0, 0, 0}}; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 e = {{1, 0, 0, 0, 0, 0, 0, 0, 0}}; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 f = modinfo->modulus; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 g = *x; +#ifdef VERIFY + int i = 0; +#endif + int j, len = 9; + int32_t eta = -1; /* eta = -delta; delta is initially 1 (faster for the variable-time code) */ + int32_t cond, fn, gn; + + /* Do iterations of 30 divsteps each until g=0. */ + while (1) { + /* Compute transition matrix and new eta after 30 divsteps. */ + rustsecp256k1zkp_v0_6_0_modinv32_trans2x2 t; + eta = rustsecp256k1zkp_v0_6_0_modinv32_divsteps_30_var(eta, f.v[0], g.v[0], &t); + /* Update d,e using that transition matrix. */ + rustsecp256k1zkp_v0_6_0_modinv32_update_de_30(&d, &e, &t, modinfo); + /* Update f,g using that transition matrix. */ +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + rustsecp256k1zkp_v0_6_0_modinv32_update_fg_30_var(len, &f, &g, &t); + /* If the bottom limb of g is 0, there is a chance g=0. */ + if (g.v[0] == 0) { + cond = 0; + /* Check if all other limbs are also 0. */ + for (j = 1; j < len; ++j) { + cond |= g.v[j]; + } + /* If so, we're done. */ + if (cond == 0) break; + } + + /* Determine if len>1 and limb (len-1) of both f and g is 0 or -1. */ + fn = f.v[len - 1]; + gn = g.v[len - 1]; + cond = ((int32_t)len - 2) >> 31; + cond |= fn ^ (fn >> 31); + cond |= gn ^ (gn >> 31); + /* If so, reduce length, propagating the sign of f and g's top limb into the one below. */ + if (cond == 0) { + f.v[len - 2] |= (uint32_t)fn << 30; + g.v[len - 2] |= (uint32_t)gn << 30; + --len; + } +#ifdef VERIFY + VERIFY_CHECK(++i < 25); /* We should never need more than 25*30 = 750 divsteps */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + } + + /* At this point g is 0 and (if g was not originally 0) f must now equal +/- GCD of + * the initial f, g values i.e. +/- 1, and d now contains +/- the modular inverse. */ +#ifdef VERIFY + /* g == 0 */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&g, len, &SECP256K1_SIGNED30_ONE, 0) == 0); + /* |f| == 1, or (x == 0 and d == 0 and |f|=modulus) */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &SECP256K1_SIGNED30_ONE, -1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &SECP256K1_SIGNED30_ONE, 1) == 0 || + (rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(x, 9, &SECP256K1_SIGNED30_ONE, 0) == 0 && + rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&d, 9, &SECP256K1_SIGNED30_ONE, 0) == 0 && + (rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &modinfo->modulus, 1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv32_mul_cmp_30(&f, len, &modinfo->modulus, -1) == 0))); +#endif + + /* Optionally negate d, normalize to [0,modulus), and return it. */ + rustsecp256k1zkp_v0_6_0_modinv32_normalize_30(&d, f.v[len - 1], modinfo); + *x = d; +} + +#endif /* SECP256K1_MODINV32_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modinv64.h b/secp256k1-zkp-sys/depend/secp256k1/src/modinv64.h new file mode 100644 index 00000000..9c95e62f --- /dev/null +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modinv64.h @@ -0,0 +1,46 @@ +/*********************************************************************** + * Copyright (c) 2020 Peter Dettman * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or https://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#ifndef SECP256K1_MODINV64_H +#define SECP256K1_MODINV64_H + +#if defined HAVE_CONFIG_H +#include "libsecp256k1-config.h" +#endif + +#include "util.h" + +#ifndef SECP256K1_WIDEMUL_INT128 +#error "modinv64 requires 128-bit wide multiplication support" +#endif + +/* A signed 62-bit limb representation of integers. + * + * Its value is sum(v[i] * 2^(62*i), i=0..4). */ +typedef struct { + int64_t v[5]; +} rustsecp256k1zkp_v0_6_0_modinv64_signed62; + +typedef struct { + /* The modulus in signed62 notation, must be odd and in [3, 2^256]. */ + rustsecp256k1zkp_v0_6_0_modinv64_signed62 modulus; + + /* modulus^{-1} mod 2^62 */ + uint64_t modulus_inv62; +} rustsecp256k1zkp_v0_6_0_modinv64_modinfo; + +/* Replace x with its modular inverse mod modinfo->modulus. x must be in range [0, modulus). + * If x is zero, the result will be zero as well. If not, the inverse must exist (i.e., the gcd of + * x and modulus must be 1). These rules are automatically satisfied if the modulus is prime. + * + * On output, all of x's limbs will be in [0, 2^62). + */ +static void rustsecp256k1zkp_v0_6_0_modinv64_var(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *x, const rustsecp256k1zkp_v0_6_0_modinv64_modinfo *modinfo); + +/* Same as rustsecp256k1zkp_v0_6_0_modinv64_var, but constant time in x (not in the modulus). */ +static void rustsecp256k1zkp_v0_6_0_modinv64(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *x, const rustsecp256k1zkp_v0_6_0_modinv64_modinfo *modinfo); + +#endif /* SECP256K1_MODINV64_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modinv64_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modinv64_impl.h new file mode 100644 index 00000000..3648226a --- /dev/null +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modinv64_impl.h @@ -0,0 +1,593 @@ +/*********************************************************************** + * Copyright (c) 2020 Peter Dettman * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or https://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#ifndef SECP256K1_MODINV64_IMPL_H +#define SECP256K1_MODINV64_IMPL_H + +#include "modinv64.h" + +#include "util.h" + +/* This file implements modular inversion based on the paper "Fast constant-time gcd computation and + * modular inversion" by Daniel J. Bernstein and Bo-Yin Yang. + * + * For an explanation of the algorithm, see doc/safegcd_implementation.md. This file contains an + * implementation for N=62, using 62-bit signed limbs represented as int64_t. + */ + +#ifdef VERIFY +/* Helper function to compute the absolute value of an int64_t. + * (we don't use abs/labs/llabs as it depends on the int sizes). */ +static int64_t rustsecp256k1zkp_v0_6_0_modinv64_abs(int64_t v) { + VERIFY_CHECK(v > INT64_MIN); + if (v < 0) return -v; + return v; +} + +static const rustsecp256k1zkp_v0_6_0_modinv64_signed62 SECP256K1_SIGNED62_ONE = {{1}}; + +/* Compute a*factor and put it in r. All but the top limb in r will be in range [0,2^62). */ +static void rustsecp256k1zkp_v0_6_0_modinv64_mul_62(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *r, const rustsecp256k1zkp_v0_6_0_modinv64_signed62 *a, int alen, int64_t factor) { + const int64_t M62 = (int64_t)(UINT64_MAX >> 2); + int128_t c = 0; + int i; + for (i = 0; i < 4; ++i) { + if (i < alen) c += (int128_t)a->v[i] * factor; + r->v[i] = (int64_t)c & M62; c >>= 62; + } + if (4 < alen) c += (int128_t)a->v[4] * factor; + VERIFY_CHECK(c == (int64_t)c); + r->v[4] = (int64_t)c; +} + +/* Return -1 for ab*factor. A has alen limbs; b has 5. */ +static int rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(const rustsecp256k1zkp_v0_6_0_modinv64_signed62 *a, int alen, const rustsecp256k1zkp_v0_6_0_modinv64_signed62 *b, int64_t factor) { + int i; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 am, bm; + rustsecp256k1zkp_v0_6_0_modinv64_mul_62(&am, a, alen, 1); /* Normalize all but the top limb of a. */ + rustsecp256k1zkp_v0_6_0_modinv64_mul_62(&bm, b, 5, factor); + for (i = 0; i < 4; ++i) { + /* Verify that all but the top limb of a and b are normalized. */ + VERIFY_CHECK(am.v[i] >> 62 == 0); + VERIFY_CHECK(bm.v[i] >> 62 == 0); + } + for (i = 4; i >= 0; --i) { + if (am.v[i] < bm.v[i]) return -1; + if (am.v[i] > bm.v[i]) return 1; + } + return 0; +} +#endif + +/* Take as input a signed62 number in range (-2*modulus,modulus), and add a multiple of the modulus + * to it to bring it to range [0,modulus). If sign < 0, the input will also be negated in the + * process. The input must have limbs in range (-2^62,2^62). The output will have limbs in range + * [0,2^62). */ +static void rustsecp256k1zkp_v0_6_0_modinv64_normalize_62(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *r, int64_t sign, const rustsecp256k1zkp_v0_6_0_modinv64_modinfo *modinfo) { + const int64_t M62 = (int64_t)(UINT64_MAX >> 2); + int64_t r0 = r->v[0], r1 = r->v[1], r2 = r->v[2], r3 = r->v[3], r4 = r->v[4]; + int64_t cond_add, cond_negate; + +#ifdef VERIFY + /* Verify that all limbs are in range (-2^62,2^62). */ + int i; + for (i = 0; i < 5; ++i) { + VERIFY_CHECK(r->v[i] >= -M62); + VERIFY_CHECK(r->v[i] <= M62); + } + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, -2) > 0); /* r > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 1) < 0); /* r < modulus */ +#endif + + /* In a first step, add the modulus if the input is negative, and then negate if requested. + * This brings r from range (-2*modulus,modulus) to range (-modulus,modulus). As all input + * limbs are in range (-2^62,2^62), this cannot overflow an int64_t. Note that the right + * shifts below are signed sign-extending shifts (see assumptions.h for tests that that is + * indeed the behavior of the right shift operator). */ + cond_add = r4 >> 63; + r0 += modinfo->modulus.v[0] & cond_add; + r1 += modinfo->modulus.v[1] & cond_add; + r2 += modinfo->modulus.v[2] & cond_add; + r3 += modinfo->modulus.v[3] & cond_add; + r4 += modinfo->modulus.v[4] & cond_add; + cond_negate = sign >> 63; + r0 = (r0 ^ cond_negate) - cond_negate; + r1 = (r1 ^ cond_negate) - cond_negate; + r2 = (r2 ^ cond_negate) - cond_negate; + r3 = (r3 ^ cond_negate) - cond_negate; + r4 = (r4 ^ cond_negate) - cond_negate; + /* Propagate the top bits, to bring limbs back to range (-2^62,2^62). */ + r1 += r0 >> 62; r0 &= M62; + r2 += r1 >> 62; r1 &= M62; + r3 += r2 >> 62; r2 &= M62; + r4 += r3 >> 62; r3 &= M62; + + /* In a second step add the modulus again if the result is still negative, bringing + * r to range [0,modulus). */ + cond_add = r4 >> 63; + r0 += modinfo->modulus.v[0] & cond_add; + r1 += modinfo->modulus.v[1] & cond_add; + r2 += modinfo->modulus.v[2] & cond_add; + r3 += modinfo->modulus.v[3] & cond_add; + r4 += modinfo->modulus.v[4] & cond_add; + /* And propagate again. */ + r1 += r0 >> 62; r0 &= M62; + r2 += r1 >> 62; r1 &= M62; + r3 += r2 >> 62; r2 &= M62; + r4 += r3 >> 62; r3 &= M62; + + r->v[0] = r0; + r->v[1] = r1; + r->v[2] = r2; + r->v[3] = r3; + r->v[4] = r4; + +#ifdef VERIFY + VERIFY_CHECK(r0 >> 62 == 0); + VERIFY_CHECK(r1 >> 62 == 0); + VERIFY_CHECK(r2 >> 62 == 0); + VERIFY_CHECK(r3 >> 62 == 0); + VERIFY_CHECK(r4 >> 62 == 0); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 0) >= 0); /* r >= 0 */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(r, 5, &modinfo->modulus, 1) < 0); /* r < modulus */ +#endif +} + +/* Data type for transition matrices (see section 3 of explanation). + * + * t = [ u v ] + * [ q r ] + */ +typedef struct { + int64_t u, v, q, r; +} rustsecp256k1zkp_v0_6_0_modinv64_trans2x2; + +/* Compute the transition matrix and eta for 59 divsteps (where zeta=-(delta+1/2)). + * Note that the transformation matrix is scaled by 2^62 and not 2^59. + * + * Input: zeta: initial zeta + * f0: bottom limb of initial f + * g0: bottom limb of initial g + * Output: t: transition matrix + * Return: final zeta + * + * Implements the divsteps_n_matrix function from the explanation. + */ +static int64_t rustsecp256k1zkp_v0_6_0_modinv64_divsteps_59(int64_t zeta, uint64_t f0, uint64_t g0, rustsecp256k1zkp_v0_6_0_modinv64_trans2x2 *t) { + /* u,v,q,r are the elements of the transformation matrix being built up, + * starting with the identity matrix times 8 (because the caller expects + * a result scaled by 2^62). Semantically they are signed integers + * in range [-2^62,2^62], but here represented as unsigned mod 2^64. This + * permits left shifting (which is UB for negative numbers). The range + * being inside [-2^63,2^63) means that casting to signed works correctly. + */ + uint64_t u = 8, v = 0, q = 0, r = 8; + uint64_t c1, c2, f = f0, g = g0, x, y, z; + int i; + + for (i = 3; i < 62; ++i) { + VERIFY_CHECK((f & 1) == 1); /* f must always be odd */ + VERIFY_CHECK((u * f0 + v * g0) == f << i); + VERIFY_CHECK((q * f0 + r * g0) == g << i); + /* Compute conditional masks for (zeta < 0) and for (g & 1). */ + c1 = zeta >> 63; + c2 = -(g & 1); + /* Compute x,y,z, conditionally negated versions of f,u,v. */ + x = (f ^ c1) - c1; + y = (u ^ c1) - c1; + z = (v ^ c1) - c1; + /* Conditionally add x,y,z to g,q,r. */ + g += x & c2; + q += y & c2; + r += z & c2; + /* In what follows, c1 is a condition mask for (zeta < 0) and (g & 1). */ + c1 &= c2; + /* Conditionally change zeta into -zeta-2 or zeta-1. */ + zeta = (zeta ^ c1) - 1; + /* Conditionally add g,q,r to f,u,v. */ + f += g & c1; + u += q & c1; + v += r & c1; + /* Shifts */ + g >>= 1; + u <<= 1; + v <<= 1; + /* Bounds on zeta that follow from the bounds on iteration count (max 10*59 divsteps). */ + VERIFY_CHECK(zeta >= -591 && zeta <= 591); + } + /* Return data in t and return value. */ + t->u = (int64_t)u; + t->v = (int64_t)v; + t->q = (int64_t)q; + t->r = (int64_t)r; + /* The determinant of t must be a power of two. This guarantees that multiplication with t + * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which + * will be divided out again). As each divstep's individual matrix has determinant 2, the + * aggregate of 59 of them will have determinant 2^59. Multiplying with the initial + * 8*identity (which has determinant 2^6) means the overall outputs has determinant + * 2^65. */ + VERIFY_CHECK((int128_t)t->u * t->r - (int128_t)t->v * t->q == ((int128_t)1) << 65); + return zeta; +} + +/* Compute the transition matrix and eta for 62 divsteps (variable time, eta=-delta). + * + * Input: eta: initial eta + * f0: bottom limb of initial f + * g0: bottom limb of initial g + * Output: t: transition matrix + * Return: final eta + * + * Implements the divsteps_n_matrix_var function from the explanation. + */ +static int64_t rustsecp256k1zkp_v0_6_0_modinv64_divsteps_62_var(int64_t eta, uint64_t f0, uint64_t g0, rustsecp256k1zkp_v0_6_0_modinv64_trans2x2 *t) { + /* Transformation matrix; see comments in rustsecp256k1zkp_v0_6_0_modinv64_divsteps_62. */ + uint64_t u = 1, v = 0, q = 0, r = 1; + uint64_t f = f0, g = g0, m; + uint32_t w; + int i = 62, limit, zeros; + + for (;;) { + /* Use a sentinel bit to count zeros only up to i. */ + zeros = rustsecp256k1zkp_v0_6_0_ctz64_var(g | (UINT64_MAX << i)); + /* Perform zeros divsteps at once; they all just divide g by two. */ + g >>= zeros; + u <<= zeros; + v <<= zeros; + eta -= zeros; + i -= zeros; + /* We're done once we've done 62 divsteps. */ + if (i == 0) break; + VERIFY_CHECK((f & 1) == 1); + VERIFY_CHECK((g & 1) == 1); + VERIFY_CHECK((u * f0 + v * g0) == f << (62 - i)); + VERIFY_CHECK((q * f0 + r * g0) == g << (62 - i)); + /* Bounds on eta that follow from the bounds on iteration count (max 12*62 divsteps). */ + VERIFY_CHECK(eta >= -745 && eta <= 745); + /* If eta is negative, negate it and replace f,g with g,-f. */ + if (eta < 0) { + uint64_t tmp; + eta = -eta; + tmp = f; f = g; g = -tmp; + tmp = u; u = q; q = -tmp; + tmp = v; v = r; r = -tmp; + /* Use a formula to cancel out up to 6 bits of g. Also, no more than i can be cancelled + * out (as we'd be done before that point), and no more than eta+1 can be done as its + * will flip again once that happens. */ + limit = ((int)eta + 1) > i ? i : ((int)eta + 1); + VERIFY_CHECK(limit > 0 && limit <= 62); + /* m is a mask for the bottom min(limit, 6) bits. */ + m = (UINT64_MAX >> (64 - limit)) & 63U; + /* Find what multiple of f must be added to g to cancel its bottom min(limit, 6) + * bits. */ + w = (f * g * (f * f - 2)) & m; + } else { + /* In this branch, use a simpler formula that only lets us cancel up to 4 bits of g, as + * eta tends to be smaller here. */ + limit = ((int)eta + 1) > i ? i : ((int)eta + 1); + VERIFY_CHECK(limit > 0 && limit <= 62); + /* m is a mask for the bottom min(limit, 4) bits. */ + m = (UINT64_MAX >> (64 - limit)) & 15U; + /* Find what multiple of f must be added to g to cancel its bottom min(limit, 4) + * bits. */ + w = f + (((f + 1) & 4) << 1); + w = (-w * g) & m; + } + g += f * w; + q += u * w; + r += v * w; + VERIFY_CHECK((g & m) == 0); + } + /* Return data in t and return value. */ + t->u = (int64_t)u; + t->v = (int64_t)v; + t->q = (int64_t)q; + t->r = (int64_t)r; + /* The determinant of t must be a power of two. This guarantees that multiplication with t + * does not change the gcd of f and g, apart from adding a power-of-2 factor to it (which + * will be divided out again). As each divstep's individual matrix has determinant 2, the + * aggregate of 62 of them will have determinant 2^62. */ + VERIFY_CHECK((int128_t)t->u * t->r - (int128_t)t->v * t->q == ((int128_t)1) << 62); + return eta; +} + +/* Compute (t/2^62) * [d, e] mod modulus, where t is a transition matrix scaled by 2^62. + * + * On input and output, d and e are in range (-2*modulus,modulus). All output limbs will be in range + * (-2^62,2^62). + * + * This implements the update_de function from the explanation. + */ +static void rustsecp256k1zkp_v0_6_0_modinv64_update_de_62(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *d, rustsecp256k1zkp_v0_6_0_modinv64_signed62 *e, const rustsecp256k1zkp_v0_6_0_modinv64_trans2x2 *t, const rustsecp256k1zkp_v0_6_0_modinv64_modinfo* modinfo) { + const int64_t M62 = (int64_t)(UINT64_MAX >> 2); + const int64_t d0 = d->v[0], d1 = d->v[1], d2 = d->v[2], d3 = d->v[3], d4 = d->v[4]; + const int64_t e0 = e->v[0], e1 = e->v[1], e2 = e->v[2], e3 = e->v[3], e4 = e->v[4]; + const int64_t u = t->u, v = t->v, q = t->q, r = t->r; + int64_t md, me, sd, se; + int128_t cd, ce; +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, -2) > 0); /* d > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, 1) < 0); /* d < modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, -2) > 0); /* e > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0); /* e < modulus */ + VERIFY_CHECK((rustsecp256k1zkp_v0_6_0_modinv64_abs(u) + rustsecp256k1zkp_v0_6_0_modinv64_abs(v)) >= 0); /* |u|+|v| doesn't overflow */ + VERIFY_CHECK((rustsecp256k1zkp_v0_6_0_modinv64_abs(q) + rustsecp256k1zkp_v0_6_0_modinv64_abs(r)) >= 0); /* |q|+|r| doesn't overflow */ + VERIFY_CHECK((rustsecp256k1zkp_v0_6_0_modinv64_abs(u) + rustsecp256k1zkp_v0_6_0_modinv64_abs(v)) <= M62 + 1); /* |u|+|v| <= 2^62 */ + VERIFY_CHECK((rustsecp256k1zkp_v0_6_0_modinv64_abs(q) + rustsecp256k1zkp_v0_6_0_modinv64_abs(r)) <= M62 + 1); /* |q|+|r| <= 2^62 */ +#endif + /* [md,me] start as zero; plus [u,q] if d is negative; plus [v,r] if e is negative. */ + sd = d4 >> 63; + se = e4 >> 63; + md = (u & sd) + (v & se); + me = (q & sd) + (r & se); + /* Begin computing t*[d,e]. */ + cd = (int128_t)u * d0 + (int128_t)v * e0; + ce = (int128_t)q * d0 + (int128_t)r * e0; + /* Correct md,me so that t*[d,e]+modulus*[md,me] has 62 zero bottom bits. */ + md -= (modinfo->modulus_inv62 * (uint64_t)cd + md) & M62; + me -= (modinfo->modulus_inv62 * (uint64_t)ce + me) & M62; + /* Update the beginning of computation for t*[d,e]+modulus*[md,me] now md,me are known. */ + cd += (int128_t)modinfo->modulus.v[0] * md; + ce += (int128_t)modinfo->modulus.v[0] * me; + /* Verify that the low 62 bits of the computation are indeed zero, and then throw them away. */ + VERIFY_CHECK(((int64_t)cd & M62) == 0); cd >>= 62; + VERIFY_CHECK(((int64_t)ce & M62) == 0); ce >>= 62; + /* Compute limb 1 of t*[d,e]+modulus*[md,me], and store it as output limb 0 (= down shift). */ + cd += (int128_t)u * d1 + (int128_t)v * e1; + ce += (int128_t)q * d1 + (int128_t)r * e1; + if (modinfo->modulus.v[1]) { /* Optimize for the case where limb of modulus is zero. */ + cd += (int128_t)modinfo->modulus.v[1] * md; + ce += (int128_t)modinfo->modulus.v[1] * me; + } + d->v[0] = (int64_t)cd & M62; cd >>= 62; + e->v[0] = (int64_t)ce & M62; ce >>= 62; + /* Compute limb 2 of t*[d,e]+modulus*[md,me], and store it as output limb 1. */ + cd += (int128_t)u * d2 + (int128_t)v * e2; + ce += (int128_t)q * d2 + (int128_t)r * e2; + if (modinfo->modulus.v[2]) { /* Optimize for the case where limb of modulus is zero. */ + cd += (int128_t)modinfo->modulus.v[2] * md; + ce += (int128_t)modinfo->modulus.v[2] * me; + } + d->v[1] = (int64_t)cd & M62; cd >>= 62; + e->v[1] = (int64_t)ce & M62; ce >>= 62; + /* Compute limb 3 of t*[d,e]+modulus*[md,me], and store it as output limb 2. */ + cd += (int128_t)u * d3 + (int128_t)v * e3; + ce += (int128_t)q * d3 + (int128_t)r * e3; + if (modinfo->modulus.v[3]) { /* Optimize for the case where limb of modulus is zero. */ + cd += (int128_t)modinfo->modulus.v[3] * md; + ce += (int128_t)modinfo->modulus.v[3] * me; + } + d->v[2] = (int64_t)cd & M62; cd >>= 62; + e->v[2] = (int64_t)ce & M62; ce >>= 62; + /* Compute limb 4 of t*[d,e]+modulus*[md,me], and store it as output limb 3. */ + cd += (int128_t)u * d4 + (int128_t)v * e4; + ce += (int128_t)q * d4 + (int128_t)r * e4; + cd += (int128_t)modinfo->modulus.v[4] * md; + ce += (int128_t)modinfo->modulus.v[4] * me; + d->v[3] = (int64_t)cd & M62; cd >>= 62; + e->v[3] = (int64_t)ce & M62; ce >>= 62; + /* What remains is limb 5 of t*[d,e]+modulus*[md,me]; store it as output limb 4. */ + d->v[4] = (int64_t)cd; + e->v[4] = (int64_t)ce; +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, -2) > 0); /* d > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(d, 5, &modinfo->modulus, 1) < 0); /* d < modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, -2) > 0); /* e > -2*modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0); /* e < modulus */ +#endif +} + +/* Compute (t/2^62) * [f, g], where t is a transition matrix scaled by 2^62. + * + * This implements the update_fg function from the explanation. + */ +static void rustsecp256k1zkp_v0_6_0_modinv64_update_fg_62(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *f, rustsecp256k1zkp_v0_6_0_modinv64_signed62 *g, const rustsecp256k1zkp_v0_6_0_modinv64_trans2x2 *t) { + const int64_t M62 = (int64_t)(UINT64_MAX >> 2); + const int64_t f0 = f->v[0], f1 = f->v[1], f2 = f->v[2], f3 = f->v[3], f4 = f->v[4]; + const int64_t g0 = g->v[0], g1 = g->v[1], g2 = g->v[2], g3 = g->v[3], g4 = g->v[4]; + const int64_t u = t->u, v = t->v, q = t->q, r = t->r; + int128_t cf, cg; + /* Start computing t*[f,g]. */ + cf = (int128_t)u * f0 + (int128_t)v * g0; + cg = (int128_t)q * f0 + (int128_t)r * g0; + /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */ + VERIFY_CHECK(((int64_t)cf & M62) == 0); cf >>= 62; + VERIFY_CHECK(((int64_t)cg & M62) == 0); cg >>= 62; + /* Compute limb 1 of t*[f,g], and store it as output limb 0 (= down shift). */ + cf += (int128_t)u * f1 + (int128_t)v * g1; + cg += (int128_t)q * f1 + (int128_t)r * g1; + f->v[0] = (int64_t)cf & M62; cf >>= 62; + g->v[0] = (int64_t)cg & M62; cg >>= 62; + /* Compute limb 2 of t*[f,g], and store it as output limb 1. */ + cf += (int128_t)u * f2 + (int128_t)v * g2; + cg += (int128_t)q * f2 + (int128_t)r * g2; + f->v[1] = (int64_t)cf & M62; cf >>= 62; + g->v[1] = (int64_t)cg & M62; cg >>= 62; + /* Compute limb 3 of t*[f,g], and store it as output limb 2. */ + cf += (int128_t)u * f3 + (int128_t)v * g3; + cg += (int128_t)q * f3 + (int128_t)r * g3; + f->v[2] = (int64_t)cf & M62; cf >>= 62; + g->v[2] = (int64_t)cg & M62; cg >>= 62; + /* Compute limb 4 of t*[f,g], and store it as output limb 3. */ + cf += (int128_t)u * f4 + (int128_t)v * g4; + cg += (int128_t)q * f4 + (int128_t)r * g4; + f->v[3] = (int64_t)cf & M62; cf >>= 62; + g->v[3] = (int64_t)cg & M62; cg >>= 62; + /* What remains is limb 5 of t*[f,g]; store it as output limb 4. */ + f->v[4] = (int64_t)cf; + g->v[4] = (int64_t)cg; +} + +/* Compute (t/2^62) * [f, g], where t is a transition matrix for 62 divsteps. + * + * Version that operates on a variable number of limbs in f and g. + * + * This implements the update_fg function from the explanation. + */ +static void rustsecp256k1zkp_v0_6_0_modinv64_update_fg_62_var(int len, rustsecp256k1zkp_v0_6_0_modinv64_signed62 *f, rustsecp256k1zkp_v0_6_0_modinv64_signed62 *g, const rustsecp256k1zkp_v0_6_0_modinv64_trans2x2 *t) { + const int64_t M62 = (int64_t)(UINT64_MAX >> 2); + const int64_t u = t->u, v = t->v, q = t->q, r = t->r; + int64_t fi, gi; + int128_t cf, cg; + int i; + VERIFY_CHECK(len > 0); + /* Start computing t*[f,g]. */ + fi = f->v[0]; + gi = g->v[0]; + cf = (int128_t)u * fi + (int128_t)v * gi; + cg = (int128_t)q * fi + (int128_t)r * gi; + /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */ + VERIFY_CHECK(((int64_t)cf & M62) == 0); cf >>= 62; + VERIFY_CHECK(((int64_t)cg & M62) == 0); cg >>= 62; + /* Now iteratively compute limb i=1..len of t*[f,g], and store them in output limb i-1 (shifting + * down by 62 bits). */ + for (i = 1; i < len; ++i) { + fi = f->v[i]; + gi = g->v[i]; + cf += (int128_t)u * fi + (int128_t)v * gi; + cg += (int128_t)q * fi + (int128_t)r * gi; + f->v[i - 1] = (int64_t)cf & M62; cf >>= 62; + g->v[i - 1] = (int64_t)cg & M62; cg >>= 62; + } + /* What remains is limb (len) of t*[f,g]; store it as output limb (len-1). */ + f->v[len - 1] = (int64_t)cf; + g->v[len - 1] = (int64_t)cg; +} + +/* Compute the inverse of x modulo modinfo->modulus, and replace x with it (constant time in x). */ +static void rustsecp256k1zkp_v0_6_0_modinv64(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *x, const rustsecp256k1zkp_v0_6_0_modinv64_modinfo *modinfo) { + /* Start with d=0, e=1, f=modulus, g=x, zeta=-1. */ + rustsecp256k1zkp_v0_6_0_modinv64_signed62 d = {{0, 0, 0, 0, 0}}; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 e = {{1, 0, 0, 0, 0}}; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 f = modinfo->modulus; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 g = *x; + int i; + int64_t zeta = -1; /* zeta = -(delta+1/2); delta starts at 1/2. */ + + /* Do 10 iterations of 59 divsteps each = 590 divsteps. This suffices for 256-bit inputs. */ + for (i = 0; i < 10; ++i) { + /* Compute transition matrix and new zeta after 59 divsteps. */ + rustsecp256k1zkp_v0_6_0_modinv64_trans2x2 t; + zeta = rustsecp256k1zkp_v0_6_0_modinv64_divsteps_59(zeta, f.v[0], g.v[0], &t); + /* Update d,e using that transition matrix. */ + rustsecp256k1zkp_v0_6_0_modinv64_update_de_62(&d, &e, &t, modinfo); + /* Update f,g using that transition matrix. */ +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + rustsecp256k1zkp_v0_6_0_modinv64_update_fg_62(&f, &g, &t); +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, 5, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + } + + /* At this point sufficient iterations have been performed that g must have reached 0 + * and (if g was not originally 0) f must now equal +/- GCD of the initial f, g + * values i.e. +/- 1, and d now contains +/- the modular inverse. */ +#ifdef VERIFY + /* g == 0 */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, 5, &SECP256K1_SIGNED62_ONE, 0) == 0); + /* |f| == 1, or (x == 0 and d == 0 and |f|=modulus) */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &SECP256K1_SIGNED62_ONE, -1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &SECP256K1_SIGNED62_ONE, 1) == 0 || + (rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(x, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && + rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&d, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && + (rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, 1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, 5, &modinfo->modulus, -1) == 0))); +#endif + + /* Optionally negate d, normalize to [0,modulus), and return it. */ + rustsecp256k1zkp_v0_6_0_modinv64_normalize_62(&d, f.v[4], modinfo); + *x = d; +} + +/* Compute the inverse of x modulo modinfo->modulus, and replace x with it (variable time). */ +static void rustsecp256k1zkp_v0_6_0_modinv64_var(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *x, const rustsecp256k1zkp_v0_6_0_modinv64_modinfo *modinfo) { + /* Start with d=0, e=1, f=modulus, g=x, eta=-1. */ + rustsecp256k1zkp_v0_6_0_modinv64_signed62 d = {{0, 0, 0, 0, 0}}; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 e = {{1, 0, 0, 0, 0}}; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 f = modinfo->modulus; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 g = *x; +#ifdef VERIFY + int i = 0; +#endif + int j, len = 5; + int64_t eta = -1; /* eta = -delta; delta is initially 1 */ + int64_t cond, fn, gn; + + /* Do iterations of 62 divsteps each until g=0. */ + while (1) { + /* Compute transition matrix and new eta after 62 divsteps. */ + rustsecp256k1zkp_v0_6_0_modinv64_trans2x2 t; + eta = rustsecp256k1zkp_v0_6_0_modinv64_divsteps_62_var(eta, f.v[0], g.v[0], &t); + /* Update d,e using that transition matrix. */ + rustsecp256k1zkp_v0_6_0_modinv64_update_de_62(&d, &e, &t, modinfo); + /* Update f,g using that transition matrix. */ +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + rustsecp256k1zkp_v0_6_0_modinv64_update_fg_62_var(len, &f, &g, &t); + /* If the bottom limb of g is zero, there is a chance that g=0. */ + if (g.v[0] == 0) { + cond = 0; + /* Check if the other limbs are also 0. */ + for (j = 1; j < len; ++j) { + cond |= g.v[j]; + } + /* If so, we're done. */ + if (cond == 0) break; + } + + /* Determine if len>1 and limb (len-1) of both f and g is 0 or -1. */ + fn = f.v[len - 1]; + gn = g.v[len - 1]; + cond = ((int64_t)len - 2) >> 63; + cond |= fn ^ (fn >> 63); + cond |= gn ^ (gn >> 63); + /* If so, reduce length, propagating the sign of f and g's top limb into the one below. */ + if (cond == 0) { + f.v[len - 2] |= (uint64_t)fn << 62; + g.v[len - 2] |= (uint64_t)gn << 62; + --len; + } +#ifdef VERIFY + VERIFY_CHECK(++i < 12); /* We should never need more than 12*62 = 744 divsteps */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) > 0); /* f > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) <= 0); /* f <= modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, -1) > 0); /* g > -modulus */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, len, &modinfo->modulus, 1) < 0); /* g < modulus */ +#endif + } + + /* At this point g is 0 and (if g was not originally 0) f must now equal +/- GCD of + * the initial f, g values i.e. +/- 1, and d now contains +/- the modular inverse. */ +#ifdef VERIFY + /* g == 0 */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&g, len, &SECP256K1_SIGNED62_ONE, 0) == 0); + /* |f| == 1, or (x == 0 and d == 0 and |f|=modulus) */ + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &SECP256K1_SIGNED62_ONE, -1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &SECP256K1_SIGNED62_ONE, 1) == 0 || + (rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(x, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && + rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&d, 5, &SECP256K1_SIGNED62_ONE, 0) == 0 && + (rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, 1) == 0 || + rustsecp256k1zkp_v0_6_0_modinv64_mul_cmp_62(&f, len, &modinfo->modulus, -1) == 0))); +#endif + + /* Optionally negate d, normalize to [0,modulus), and return it. */ + rustsecp256k1zkp_v0_6_0_modinv64_normalize_62(&d, f.v[len - 1], modinfo); + *x = d; +} + +#endif /* SECP256K1_MODINV64_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include index 00ccacc6..3b15b7e8 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_ecdh.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_ecdh.h noinst_HEADERS += src/modules/ecdh/main_impl.h noinst_HEADERS += src/modules/ecdh/tests_impl.h if USE_BENCHMARK diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/main_impl.h index c602a061..84174ba1 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/main_impl.h @@ -7,31 +7,31 @@ #ifndef SECP256K1_MODULE_ECDH_MAIN_H #define SECP256K1_MODULE_ECDH_MAIN_H -#include "include/secp256k1_ecdh.h" -#include "ecmult_const_impl.h" +#include "../../../include/secp256k1_ecdh.h" +#include "../../ecmult_const_impl.h" static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) { unsigned char version = (y32[31] & 0x01) | 0x02; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; (void)data; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, &version, 1); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, x32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, output); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, &version, 1); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, x32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, output); return 1; } -const rustsecp256k1zkp_v0_5_0_ecdh_hash_function rustsecp256k1zkp_v0_5_0_ecdh_hash_function_sha256 = ecdh_hash_function_sha256; -const rustsecp256k1zkp_v0_5_0_ecdh_hash_function rustsecp256k1zkp_v0_5_0_ecdh_hash_function_default = ecdh_hash_function_sha256; +const rustsecp256k1zkp_v0_6_0_ecdh_hash_function rustsecp256k1zkp_v0_6_0_ecdh_hash_function_sha256 = ecdh_hash_function_sha256; +const rustsecp256k1zkp_v0_6_0_ecdh_hash_function rustsecp256k1zkp_v0_6_0_ecdh_hash_function_default = ecdh_hash_function_sha256; -int rustsecp256k1zkp_v0_5_0_ecdh(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, const rustsecp256k1zkp_v0_5_0_pubkey *point, const unsigned char *scalar, rustsecp256k1zkp_v0_5_0_ecdh_hash_function hashfp, void *data) { +int rustsecp256k1zkp_v0_6_0_ecdh(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, const rustsecp256k1zkp_v0_6_0_pubkey *point, const unsigned char *scalar, rustsecp256k1zkp_v0_6_0_ecdh_hash_function hashfp, void *data) { int ret = 0; int overflow = 0; - rustsecp256k1zkp_v0_5_0_gej res; - rustsecp256k1zkp_v0_5_0_ge pt; - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_gej res; + rustsecp256k1zkp_v0_6_0_ge pt; + rustsecp256k1zkp_v0_6_0_scalar s; unsigned char x[32]; unsigned char y[32]; @@ -41,29 +41,29 @@ int rustsecp256k1zkp_v0_5_0_ecdh(const rustsecp256k1zkp_v0_5_0_context* ctx, uns ARG_CHECK(scalar != NULL); if (hashfp == NULL) { - hashfp = rustsecp256k1zkp_v0_5_0_ecdh_hash_function_default; + hashfp = rustsecp256k1zkp_v0_6_0_ecdh_hash_function_default; } - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &pt, point); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, scalar, &overflow); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &pt, point); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, scalar, &overflow); - overflow |= rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&s, &rustsecp256k1zkp_v0_5_0_scalar_one, overflow); + overflow |= rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&s, &rustsecp256k1zkp_v0_6_0_scalar_one, overflow); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res, &pt, &s, 256); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pt, &res); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res, &pt, &s, 256); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pt, &res); /* Compute a hash of the point */ - rustsecp256k1zkp_v0_5_0_fe_normalize(&pt.x); - rustsecp256k1zkp_v0_5_0_fe_normalize(&pt.y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(x, &pt.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(y, &pt.y); + rustsecp256k1zkp_v0_6_0_fe_normalize(&pt.x); + rustsecp256k1zkp_v0_6_0_fe_normalize(&pt.y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(x, &pt.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(y, &pt.y); ret = hashfp(output, x, y, data); memset(x, 0, 32); memset(y, 0, 32); - rustsecp256k1zkp_v0_5_0_scalar_clear(&s); + rustsecp256k1zkp_v0_6_0_scalar_clear(&s); return !!ret & !overflow; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h index 26d6a5e8..8692500f 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h @@ -26,71 +26,71 @@ int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, con void test_ecdh_api(void) { /* Setup context that just counts errors */ - rustsecp256k1zkp_v0_5_0_context *tctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_pubkey point; + rustsecp256k1zkp_v0_6_0_context *tctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_pubkey point; unsigned char res[32]; unsigned char s_one[32] = { 0 }; int32_t ecount = 0; s_one[31] = 1; - rustsecp256k1zkp_v0_5_0_context_set_error_callback(tctx, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(tctx, counting_illegal_callback_fn, &ecount); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(tctx, &point, s_one) == 1); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(tctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(tctx, counting_illegal_callback_fn, &ecount); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(tctx, &point, s_one) == 1); /* Check all NULLs are detected */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(tctx, NULL, &point, s_one, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(tctx, NULL, &point, s_one, NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(tctx, res, NULL, s_one, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(tctx, res, NULL, s_one, NULL, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(tctx, res, &point, NULL, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(tctx, res, &point, NULL, NULL, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); CHECK(ecount == 3); /* Cleanup */ - rustsecp256k1zkp_v0_5_0_context_destroy(tctx); + rustsecp256k1zkp_v0_6_0_context_destroy(tctx); } void test_ecdh_generator_basepoint(void) { unsigned char s_one[32] = { 0 }; - rustsecp256k1zkp_v0_5_0_pubkey point[2]; + rustsecp256k1zkp_v0_6_0_pubkey point[2]; int i; s_one[31] = 1; /* Check against pubkey creation when the basepoint is the generator */ for (i = 0; i < 100; ++i) { - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char s_b32[32]; unsigned char output_ecdh[65]; unsigned char output_ser[32]; unsigned char point_ser[65]; size_t point_ser_len = sizeof(point_ser); - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar s; random_scalar_order(&s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(s_b32, &s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(s_b32, &s); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &point[0], s_one) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &point[1], s_b32) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &point[0], s_one) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &point[1], s_b32) == 1); /* compute using ECDH function with custom hash function */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(ctx, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(ctx, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1); /* compute "explicitly" */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1); /* compare */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(output_ecdh, point_ser, 65) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(output_ecdh, point_ser, 65) == 0); /* compute using ECDH function with default hash function */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1); /* compute "explicitly" */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, point_ser, point_ser_len); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, output_ser); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, point_ser, point_ser_len); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, output_ser); /* compare */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(output_ecdh, output_ser, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(output_ecdh, output_ser, 32) == 0); } } @@ -104,23 +104,23 @@ void test_bad_scalar(void) { }; unsigned char s_rand[32] = { 0 }; unsigned char output[32]; - rustsecp256k1zkp_v0_5_0_scalar rand; - rustsecp256k1zkp_v0_5_0_pubkey point; + rustsecp256k1zkp_v0_6_0_scalar rand; + rustsecp256k1zkp_v0_6_0_pubkey point; /* Create random point */ random_scalar_order(&rand); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(s_rand, &rand); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &point, s_rand) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(s_rand, &rand); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &point, s_rand) == 1); /* Try to multiply it by bad values */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(ctx, output, &point, s_zero, NULL, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(ctx, output, &point, s_zero, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 0); /* ...and a good one */ s_overflow[31] -= 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 1); /* Hash function failure results in ecdh failure */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdh(ctx, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdh(ctx, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0); } void run_ecdh_tests(void) { diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/Makefile.am.include index 3fd27d7b..eb90788f 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_ecdsa_adaptor.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_ecdsa_adaptor.h noinst_HEADERS += src/modules/ecdsa_adaptor/main_impl.h noinst_HEADERS += src/modules/ecdsa_adaptor/dleq_impl.h noinst_HEADERS += src/modules/ecdsa_adaptor/tests_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/dleq_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/dleq_impl.h index 7310915c..73967450 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/dleq_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/dleq_impl.h @@ -3,8 +3,8 @@ /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("DLEQ")||SHA256("DLEQ"). */ -static void rustsecp256k1zkp_v0_5_0_nonce_function_dleq_sha256_tagged(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_nonce_function_dleq_sha256_tagged(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0x8cc4beacul; sha->s[1] = 0x2e011f3ful; sha->s[2] = 0x355c75fbul; @@ -20,38 +20,38 @@ static void rustsecp256k1zkp_v0_5_0_nonce_function_dleq_sha256_tagged(rustsecp25 /* algo argument for nonce_function_ecdsa_adaptor to derive the nonce using a tagged hash function. */ static const unsigned char dleq_algo[4] = "DLEQ"; -static int rustsecp256k1zkp_v0_5_0_dleq_hash_point(rustsecp256k1zkp_v0_5_0_sha256 *sha, rustsecp256k1zkp_v0_5_0_ge *p) { +static int rustsecp256k1zkp_v0_6_0_dleq_hash_point(rustsecp256k1zkp_v0_6_0_sha256 *sha, rustsecp256k1zkp_v0_6_0_ge *p) { unsigned char buf[33]; size_t size = 33; - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(p, buf, &size, 1)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(p, buf, &size, 1)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(sha, buf, size); + rustsecp256k1zkp_v0_6_0_sha256_write(sha, buf, size); return 1; } -static int rustsecp256k1zkp_v0_5_0_dleq_nonce(rustsecp256k1zkp_v0_5_0_scalar *k, const unsigned char *sk32, const unsigned char *gen2_33, const unsigned char *p1_33, const unsigned char *p2_33, rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor noncefp, void *ndata) { - rustsecp256k1zkp_v0_5_0_sha256 sha; +static int rustsecp256k1zkp_v0_6_0_dleq_nonce(rustsecp256k1zkp_v0_6_0_scalar *k, const unsigned char *sk32, const unsigned char *gen2_33, const unsigned char *p1_33, const unsigned char *p2_33, rustsecp256k1zkp_v0_6_0_nonce_function_hardened_ecdsa_adaptor noncefp, void *ndata) { + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char buf[32]; unsigned char nonce[32]; size_t size = 33; if (noncefp == NULL) { - noncefp = rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor; + noncefp = rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor; } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, p1_33, size); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, p2_33, size); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, buf); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, p1_33, size); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, p2_33, size); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, buf); if (!noncefp(nonce, buf, sk32, gen2_33, dleq_algo, sizeof(dleq_algo), ndata)) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(k, nonce, NULL); - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(k)) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(k, nonce, NULL); + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(k)) { return 0; } @@ -60,36 +60,36 @@ static int rustsecp256k1zkp_v0_5_0_dleq_nonce(rustsecp256k1zkp_v0_5_0_scalar *k, /* Generates a challenge as defined in the DLC Specification at * https://github.com/discreetlogcontracts/dlcspecs */ -static void rustsecp256k1zkp_v0_5_0_dleq_challenge(rustsecp256k1zkp_v0_5_0_scalar *e, rustsecp256k1zkp_v0_5_0_ge *gen2, rustsecp256k1zkp_v0_5_0_ge *r1, rustsecp256k1zkp_v0_5_0_ge *r2, rustsecp256k1zkp_v0_5_0_ge *p1, rustsecp256k1zkp_v0_5_0_ge *p2) { +static void rustsecp256k1zkp_v0_6_0_dleq_challenge(rustsecp256k1zkp_v0_6_0_scalar *e, rustsecp256k1zkp_v0_6_0_ge *gen2, rustsecp256k1zkp_v0_6_0_ge *r1, rustsecp256k1zkp_v0_6_0_ge *r2, rustsecp256k1zkp_v0_6_0_ge *p1, rustsecp256k1zkp_v0_6_0_ge *p2) { unsigned char buf[32]; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_nonce_function_dleq_sha256_tagged(&sha); - rustsecp256k1zkp_v0_5_0_dleq_hash_point(&sha, p1); - rustsecp256k1zkp_v0_5_0_dleq_hash_point(&sha, gen2); - rustsecp256k1zkp_v0_5_0_dleq_hash_point(&sha, p2); - rustsecp256k1zkp_v0_5_0_dleq_hash_point(&sha, r1); - rustsecp256k1zkp_v0_5_0_dleq_hash_point(&sha, r2); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, buf); + rustsecp256k1zkp_v0_6_0_nonce_function_dleq_sha256_tagged(&sha); + rustsecp256k1zkp_v0_6_0_dleq_hash_point(&sha, p1); + rustsecp256k1zkp_v0_6_0_dleq_hash_point(&sha, gen2); + rustsecp256k1zkp_v0_6_0_dleq_hash_point(&sha, p2); + rustsecp256k1zkp_v0_6_0_dleq_hash_point(&sha, r1); + rustsecp256k1zkp_v0_6_0_dleq_hash_point(&sha, r2); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, buf); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(e, buf, NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(e, buf, NULL); } /* P1 = x*G, P2 = x*Y */ -static void rustsecp256k1zkp_v0_5_0_dleq_pair(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_5_0_ge *p1, rustsecp256k1zkp_v0_5_0_ge *p2, const rustsecp256k1zkp_v0_5_0_scalar *sk, const rustsecp256k1zkp_v0_5_0_ge *gen2) { - rustsecp256k1zkp_v0_5_0_gej p1j, p2j; +static void rustsecp256k1zkp_v0_6_0_dleq_pair(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_6_0_ge *p1, rustsecp256k1zkp_v0_6_0_ge *p2, const rustsecp256k1zkp_v0_6_0_scalar *sk, const rustsecp256k1zkp_v0_6_0_ge *gen2) { + rustsecp256k1zkp_v0_6_0_gej p1j, p2j; - rustsecp256k1zkp_v0_5_0_ecmult_gen(ecmult_gen_ctx, &p1j, sk); - rustsecp256k1zkp_v0_5_0_ge_set_gej(p1, &p1j); - rustsecp256k1zkp_v0_5_0_ecmult_const(&p2j, gen2, sk, 256); - rustsecp256k1zkp_v0_5_0_ge_set_gej(p2, &p2j); + rustsecp256k1zkp_v0_6_0_ecmult_gen(ecmult_gen_ctx, &p1j, sk); + rustsecp256k1zkp_v0_6_0_ge_set_gej(p1, &p1j); + rustsecp256k1zkp_v0_6_0_ecmult_const(&p2j, gen2, sk, 256); + rustsecp256k1zkp_v0_6_0_ge_set_gej(p2, &p2j); } /* Generates a proof that the discrete logarithm of P1 to the secp256k1 base G is the * same as the discrete logarithm of P2 to the base Y */ -static int rustsecp256k1zkp_v0_5_0_dleq_prove(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar *s, rustsecp256k1zkp_v0_5_0_scalar *e, const rustsecp256k1zkp_v0_5_0_scalar *sk, rustsecp256k1zkp_v0_5_0_ge *gen2, rustsecp256k1zkp_v0_5_0_ge *p1, rustsecp256k1zkp_v0_5_0_ge *p2, rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor noncefp, void *ndata) { - rustsecp256k1zkp_v0_5_0_ge r1, r2; - rustsecp256k1zkp_v0_5_0_scalar k = { 0 }; +static int rustsecp256k1zkp_v0_6_0_dleq_prove(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar *s, rustsecp256k1zkp_v0_6_0_scalar *e, const rustsecp256k1zkp_v0_6_0_scalar *sk, rustsecp256k1zkp_v0_6_0_ge *gen2, rustsecp256k1zkp_v0_6_0_ge *p1, rustsecp256k1zkp_v0_6_0_ge *p2, rustsecp256k1zkp_v0_6_0_nonce_function_hardened_ecdsa_adaptor noncefp, void *ndata) { + rustsecp256k1zkp_v0_6_0_ge r1, r2; + rustsecp256k1zkp_v0_6_0_scalar k = { 0 }; unsigned char sk32[32]; unsigned char gen2_33[33]; unsigned char p1_33[33]; @@ -97,62 +97,62 @@ static int rustsecp256k1zkp_v0_5_0_dleq_prove(const rustsecp256k1zkp_v0_5_0_cont int ret = 1; size_t pubkey_size = 33; - rustsecp256k1zkp_v0_5_0_scalar_get_b32(sk32, sk); - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(gen2, gen2_33, &pubkey_size, 1)) { + rustsecp256k1zkp_v0_6_0_scalar_get_b32(sk32, sk); + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(gen2, gen2_33, &pubkey_size, 1)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(p1, p1_33, &pubkey_size, 1)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(p1, p1_33, &pubkey_size, 1)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(p2, p2_33, &pubkey_size, 1)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(p2, p2_33, &pubkey_size, 1)) { return 0; } - ret &= rustsecp256k1zkp_v0_5_0_dleq_nonce(&k, sk32, gen2_33, p1_33, p2_33, noncefp, ndata); + ret &= rustsecp256k1zkp_v0_6_0_dleq_nonce(&k, sk32, gen2_33, p1_33, p2_33, noncefp, ndata); /* R1 = k*G, R2 = k*Y */ - rustsecp256k1zkp_v0_5_0_dleq_pair(&ctx->ecmult_gen_ctx, &r1, &r2, &k, gen2); + rustsecp256k1zkp_v0_6_0_dleq_pair(&ctx->ecmult_gen_ctx, &r1, &r2, &k, gen2); /* We declassify the non-secret values r1 and r2 to allow using them as * branch points. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &r1, sizeof(r1)); - rustsecp256k1zkp_v0_5_0_declassify(ctx, &r2, sizeof(r2)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &r1, sizeof(r1)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &r2, sizeof(r2)); /* e = tagged hash(p1, gen2, p2, r1, r2) */ /* s = k + e * sk */ - rustsecp256k1zkp_v0_5_0_dleq_challenge(e, gen2, &r1, &r2, p1, p2); - rustsecp256k1zkp_v0_5_0_scalar_mul(s, e, sk); - rustsecp256k1zkp_v0_5_0_scalar_add(s, s, &k); + rustsecp256k1zkp_v0_6_0_dleq_challenge(e, gen2, &r1, &r2, p1, p2); + rustsecp256k1zkp_v0_6_0_scalar_mul(s, e, sk); + rustsecp256k1zkp_v0_6_0_scalar_add(s, s, &k); - rustsecp256k1zkp_v0_5_0_scalar_clear(&k); + rustsecp256k1zkp_v0_6_0_scalar_clear(&k); return ret; } -static int rustsecp256k1zkp_v0_5_0_dleq_verify(const rustsecp256k1zkp_v0_5_0_ecmult_context *ecmult_ctx, const rustsecp256k1zkp_v0_5_0_scalar *s, const rustsecp256k1zkp_v0_5_0_scalar *e, rustsecp256k1zkp_v0_5_0_ge *p1, rustsecp256k1zkp_v0_5_0_ge *gen2, rustsecp256k1zkp_v0_5_0_ge *p2) { - rustsecp256k1zkp_v0_5_0_scalar e_neg; - rustsecp256k1zkp_v0_5_0_scalar e_expected; - rustsecp256k1zkp_v0_5_0_gej gen2j; - rustsecp256k1zkp_v0_5_0_gej p1j, p2j; - rustsecp256k1zkp_v0_5_0_gej r1j, r2j; - rustsecp256k1zkp_v0_5_0_ge r1, r2; - rustsecp256k1zkp_v0_5_0_gej tmpj; +static int rustsecp256k1zkp_v0_6_0_dleq_verify(const rustsecp256k1zkp_v0_6_0_ecmult_context *ecmult_ctx, const rustsecp256k1zkp_v0_6_0_scalar *s, const rustsecp256k1zkp_v0_6_0_scalar *e, rustsecp256k1zkp_v0_6_0_ge *p1, rustsecp256k1zkp_v0_6_0_ge *gen2, rustsecp256k1zkp_v0_6_0_ge *p2) { + rustsecp256k1zkp_v0_6_0_scalar e_neg; + rustsecp256k1zkp_v0_6_0_scalar e_expected; + rustsecp256k1zkp_v0_6_0_gej gen2j; + rustsecp256k1zkp_v0_6_0_gej p1j, p2j; + rustsecp256k1zkp_v0_6_0_gej r1j, r2j; + rustsecp256k1zkp_v0_6_0_ge r1, r2; + rustsecp256k1zkp_v0_6_0_gej tmpj; - rustsecp256k1zkp_v0_5_0_gej_set_ge(&p1j, p1); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&p2j, p2); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&p1j, p1); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&p2j, p2); - rustsecp256k1zkp_v0_5_0_scalar_negate(&e_neg, e); + rustsecp256k1zkp_v0_6_0_scalar_negate(&e_neg, e); /* R1 = s*G - e*P1 */ - rustsecp256k1zkp_v0_5_0_ecmult(ecmult_ctx, &r1j, &p1j, &e_neg, s); + rustsecp256k1zkp_v0_6_0_ecmult(ecmult_ctx, &r1j, &p1j, &e_neg, s); /* R2 = s*gen2 - e*P2 */ - rustsecp256k1zkp_v0_5_0_ecmult(ecmult_ctx, &tmpj, &p2j, &e_neg, &rustsecp256k1zkp_v0_5_0_scalar_zero); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&gen2j, gen2); - rustsecp256k1zkp_v0_5_0_ecmult(ecmult_ctx, &r2j, &gen2j, s, &rustsecp256k1zkp_v0_5_0_scalar_zero); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r2j, &r2j, &tmpj, NULL); + rustsecp256k1zkp_v0_6_0_ecmult(ecmult_ctx, &tmpj, &p2j, &e_neg, &rustsecp256k1zkp_v0_6_0_scalar_zero); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&gen2j, gen2); + rustsecp256k1zkp_v0_6_0_ecmult(ecmult_ctx, &r2j, &gen2j, s, &rustsecp256k1zkp_v0_6_0_scalar_zero); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r2j, &r2j, &tmpj, NULL); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&r1, &r1j); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&r2, &r2j); - rustsecp256k1zkp_v0_5_0_dleq_challenge(&e_expected, gen2, &r1, &r2, p1, p2); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&r1, &r1j); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&r2, &r2j); + rustsecp256k1zkp_v0_6_0_dleq_challenge(&e_expected, gen2, &r1, &r2, p1, p2); - rustsecp256k1zkp_v0_5_0_scalar_add(&e_expected, &e_expected, &e_neg); - return rustsecp256k1zkp_v0_5_0_scalar_is_zero(&e_expected); + rustsecp256k1zkp_v0_6_0_scalar_add(&e_expected, &e_expected, &e_neg); + return rustsecp256k1zkp_v0_6_0_scalar_is_zero(&e_expected); } #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/main_impl.h index 751e5434..962dac4d 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/main_impl.h @@ -11,53 +11,53 @@ #include "modules/ecdsa_adaptor/dleq_impl.h" /* (R, R', s', dleq_proof) */ -static int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_serialize(unsigned char *adaptor_sig162, rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_ge *rp, const rustsecp256k1zkp_v0_5_0_scalar *sp, const rustsecp256k1zkp_v0_5_0_scalar *dleq_proof_e, const rustsecp256k1zkp_v0_5_0_scalar *dleq_proof_s) { +static int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_serialize(unsigned char *adaptor_sig162, rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_ge *rp, const rustsecp256k1zkp_v0_6_0_scalar *sp, const rustsecp256k1zkp_v0_6_0_scalar *dleq_proof_e, const rustsecp256k1zkp_v0_6_0_scalar *dleq_proof_s) { size_t size = 33; - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(r, adaptor_sig162, &size, 1)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(r, adaptor_sig162, &size, 1)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(rp, &adaptor_sig162[33], &size, 1)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(rp, &adaptor_sig162[33], &size, 1)) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&adaptor_sig162[66], sp); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&adaptor_sig162[98], dleq_proof_e); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&adaptor_sig162[130], dleq_proof_s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&adaptor_sig162[66], sp); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&adaptor_sig162[98], dleq_proof_e); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&adaptor_sig162[130], dleq_proof_s); return 1; } -static int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(rustsecp256k1zkp_v0_5_0_ge *r, rustsecp256k1zkp_v0_5_0_scalar *sigr, rustsecp256k1zkp_v0_5_0_ge *rp, rustsecp256k1zkp_v0_5_0_scalar *sp, rustsecp256k1zkp_v0_5_0_scalar *dleq_proof_e, rustsecp256k1zkp_v0_5_0_scalar *dleq_proof_s, const unsigned char *adaptor_sig162) { +static int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(rustsecp256k1zkp_v0_6_0_ge *r, rustsecp256k1zkp_v0_6_0_scalar *sigr, rustsecp256k1zkp_v0_6_0_ge *rp, rustsecp256k1zkp_v0_6_0_scalar *sp, rustsecp256k1zkp_v0_6_0_scalar *dleq_proof_e, rustsecp256k1zkp_v0_6_0_scalar *dleq_proof_s, const unsigned char *adaptor_sig162) { /* If r is deserialized, require that a sigr is provided to receive * the X-coordinate */ VERIFY_CHECK((r == NULL) || (r != NULL && sigr != NULL)); if (r != NULL) { - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(r, &adaptor_sig162[0], 33)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(r, &adaptor_sig162[0], 33)) { return 0; } } if (sigr != NULL) { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(sigr, &adaptor_sig162[1], NULL); - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(sigr)) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(sigr, &adaptor_sig162[1], NULL); + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(sigr)) { return 0; } } if (rp != NULL) { - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(rp, &adaptor_sig162[33], 33)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(rp, &adaptor_sig162[33], 33)) { return 0; } } if (sp != NULL) { - if (!rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(sp, &adaptor_sig162[66])) { + if (!rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(sp, &adaptor_sig162[66])) { return 0; } } if (dleq_proof_e != NULL) { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(dleq_proof_e, &adaptor_sig162[98], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(dleq_proof_e, &adaptor_sig162[98], NULL); } if (dleq_proof_s != NULL) { int overflow; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(dleq_proof_s, &adaptor_sig162[130], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(dleq_proof_s, &adaptor_sig162[130], &overflow); if (overflow) { return 0; } @@ -67,8 +67,8 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(rustsecp256k1zk /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("ECDSAadaptor/non")||SHA256("ECDSAadaptor/non"). */ -static void rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0x791dae43ul; sha->s[1] = 0xe52d3b44ul; sha->s[2] = 0x37f9edeaul; @@ -83,8 +83,8 @@ static void rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged(r /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("ECDSAadaptor/aux")||SHA256("ECDSAadaptor/aux"). */ -static void rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0xd14c7bd9ul; sha->s[1] = 0x095d35e6ul; sha->s[2] = 0xb8490a88ul; @@ -102,7 +102,7 @@ static const unsigned char ecdsa_adaptor_algo[16] = "ECDSAadaptor/non"; /* Modified BIP-340 nonce function */ static int nonce_function_ecdsa_adaptor(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *pk33, const unsigned char *algo, size_t algolen, void *data) { - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char masked_key[32]; int i; @@ -111,9 +111,9 @@ static int nonce_function_ecdsa_adaptor(unsigned char *nonce32, const unsigned c } if (data != NULL) { - rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, data, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, masked_key); + rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, data, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, masked_key); for (i = 0; i < 32; i++) { masked_key[i] ^= key32[i]; } @@ -123,159 +123,159 @@ static int nonce_function_ecdsa_adaptor(unsigned char *nonce32, const unsigned c * algorithims. An optimized tagging implementation is used if the default * tag is provided. */ if (algolen == sizeof(ecdsa_adaptor_algo) - && rustsecp256k1zkp_v0_5_0_memcmp_var(algo, ecdsa_adaptor_algo, algolen) == 0) { - rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged(&sha); + && rustsecp256k1zkp_v0_6_0_memcmp_var(algo, ecdsa_adaptor_algo, algolen) == 0) { + rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged(&sha); } else if (algolen == sizeof(dleq_algo) - && rustsecp256k1zkp_v0_5_0_memcmp_var(algo, dleq_algo, algolen) == 0) { - rustsecp256k1zkp_v0_5_0_nonce_function_dleq_sha256_tagged(&sha); + && rustsecp256k1zkp_v0_6_0_memcmp_var(algo, dleq_algo, algolen) == 0) { + rustsecp256k1zkp_v0_6_0_nonce_function_dleq_sha256_tagged(&sha); } else { - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, algo, algolen); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, algo, algolen); } /* Hash (masked-)key||pk||msg using the tagged hash as per BIP-340 */ if (data != NULL) { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, masked_key, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, masked_key, 32); } else { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, key32, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, key32, 32); } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, pk33, 33); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, msg32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, nonce32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, pk33, 33); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, msg32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, nonce32); return 1; } -const rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor = nonce_function_ecdsa_adaptor; - -int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *adaptor_sig162, unsigned char *seckey32, const rustsecp256k1zkp_v0_5_0_pubkey *enckey, const unsigned char *msg32, rustsecp256k1zkp_v0_5_0_nonce_function_hardened_ecdsa_adaptor noncefp, void *ndata) { - rustsecp256k1zkp_v0_5_0_scalar k; - rustsecp256k1zkp_v0_5_0_gej rj, rpj; - rustsecp256k1zkp_v0_5_0_ge r, rp; - rustsecp256k1zkp_v0_5_0_ge enckey_ge; - rustsecp256k1zkp_v0_5_0_scalar dleq_proof_s; - rustsecp256k1zkp_v0_5_0_scalar dleq_proof_e; - rustsecp256k1zkp_v0_5_0_scalar sk; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_scalar sp; - rustsecp256k1zkp_v0_5_0_scalar sigr; - rustsecp256k1zkp_v0_5_0_scalar n; +const rustsecp256k1zkp_v0_6_0_nonce_function_hardened_ecdsa_adaptor rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor = nonce_function_ecdsa_adaptor; + +int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *adaptor_sig162, unsigned char *seckey32, const rustsecp256k1zkp_v0_6_0_pubkey *enckey, const unsigned char *msg32, rustsecp256k1zkp_v0_6_0_nonce_function_hardened_ecdsa_adaptor noncefp, void *ndata) { + rustsecp256k1zkp_v0_6_0_scalar k; + rustsecp256k1zkp_v0_6_0_gej rj, rpj; + rustsecp256k1zkp_v0_6_0_ge r, rp; + rustsecp256k1zkp_v0_6_0_ge enckey_ge; + rustsecp256k1zkp_v0_6_0_scalar dleq_proof_s; + rustsecp256k1zkp_v0_6_0_scalar dleq_proof_e; + rustsecp256k1zkp_v0_6_0_scalar sk; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_scalar sp; + rustsecp256k1zkp_v0_6_0_scalar sigr; + rustsecp256k1zkp_v0_6_0_scalar n; unsigned char nonce32[32] = { 0 }; unsigned char buf33[33]; size_t size = 33; int ret = 1; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(adaptor_sig162 != NULL); ARG_CHECK(seckey32 != NULL); ARG_CHECK(enckey != NULL); ARG_CHECK(msg32 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_clear(&dleq_proof_e); - rustsecp256k1zkp_v0_5_0_scalar_clear(&dleq_proof_s); + rustsecp256k1zkp_v0_6_0_scalar_clear(&dleq_proof_e); + rustsecp256k1zkp_v0_6_0_scalar_clear(&dleq_proof_s); if (noncefp == NULL) { - noncefp = rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor; + noncefp = rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor; } - ret &= rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &enckey_ge, enckey); - ret &= rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&enckey_ge, buf33, &size, 1); + ret &= rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &enckey_ge, enckey); + ret &= rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&enckey_ge, buf33, &size, 1); ret &= !!noncefp(nonce32, msg32, seckey32, buf33, ecdsa_adaptor_algo, sizeof(ecdsa_adaptor_algo), ndata); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&k, nonce32, NULL); - ret &= !rustsecp256k1zkp_v0_5_0_scalar_is_zero(&k); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&k, &rustsecp256k1zkp_v0_5_0_scalar_one, !ret); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&k, nonce32, NULL); + ret &= !rustsecp256k1zkp_v0_6_0_scalar_is_zero(&k); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&k, &rustsecp256k1zkp_v0_6_0_scalar_one, !ret); /* R' := k*G */ - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &rpj, &k); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&rp, &rpj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &rpj, &k); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&rp, &rpj); /* R = k*Y; */ - rustsecp256k1zkp_v0_5_0_ecmult_const(&rj, &enckey_ge, &k, 256); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&r, &rj); + rustsecp256k1zkp_v0_6_0_ecmult_const(&rj, &enckey_ge, &k, 256); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&r, &rj); /* We declassify the non-secret values rp and r to allow using them * as branch points. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &rp, sizeof(rp)); - rustsecp256k1zkp_v0_5_0_declassify(ctx, &r, sizeof(r)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &rp, sizeof(rp)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &r, sizeof(r)); /* dleq_proof = DLEQ_prove(k, (R', Y, R)) */ - ret &= rustsecp256k1zkp_v0_5_0_dleq_prove(ctx, &dleq_proof_s, &dleq_proof_e, &k, &enckey_ge, &rp, &r, noncefp, ndata); - - ret &= rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sk, seckey32); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sk, &rustsecp256k1zkp_v0_5_0_scalar_one, !ret); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&msg, msg32, NULL); - rustsecp256k1zkp_v0_5_0_fe_normalize(&r.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(buf33, &r.x); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sigr, buf33, NULL); - ret &= !rustsecp256k1zkp_v0_5_0_scalar_is_zero(&sigr); + ret &= rustsecp256k1zkp_v0_6_0_dleq_prove(ctx, &dleq_proof_s, &dleq_proof_e, &k, &enckey_ge, &rp, &r, noncefp, ndata); + + ret &= rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sk, seckey32); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sk, &rustsecp256k1zkp_v0_6_0_scalar_one, !ret); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&msg, msg32, NULL); + rustsecp256k1zkp_v0_6_0_fe_normalize(&r.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(buf33, &r.x); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sigr, buf33, NULL); + ret &= !rustsecp256k1zkp_v0_6_0_scalar_is_zero(&sigr); /* s' = kā»Ā¹(m + R.x * x) */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&n, &sigr, &sk); - rustsecp256k1zkp_v0_5_0_scalar_add(&n, &n, &msg); - rustsecp256k1zkp_v0_5_0_scalar_inverse(&sp, &k); - rustsecp256k1zkp_v0_5_0_scalar_mul(&sp, &sp, &n); - ret &= !rustsecp256k1zkp_v0_5_0_scalar_is_zero(&sp); + rustsecp256k1zkp_v0_6_0_scalar_mul(&n, &sigr, &sk); + rustsecp256k1zkp_v0_6_0_scalar_add(&n, &n, &msg); + rustsecp256k1zkp_v0_6_0_scalar_inverse(&sp, &k); + rustsecp256k1zkp_v0_6_0_scalar_mul(&sp, &sp, &n); + ret &= !rustsecp256k1zkp_v0_6_0_scalar_is_zero(&sp); /* return (R, R', s', dleq_proof) */ - ret &= rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_serialize(adaptor_sig162, &r, &rp, &sp, &dleq_proof_e, &dleq_proof_s); + ret &= rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_serialize(adaptor_sig162, &r, &rp, &sp, &dleq_proof_e, &dleq_proof_s); - rustsecp256k1zkp_v0_5_0_memczero(adaptor_sig162, 162, !ret); - rustsecp256k1zkp_v0_5_0_scalar_clear(&n); - rustsecp256k1zkp_v0_5_0_scalar_clear(&k); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sk); + rustsecp256k1zkp_v0_6_0_memczero(adaptor_sig162, 162, !ret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&n); + rustsecp256k1zkp_v0_6_0_scalar_clear(&k); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sk); return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const unsigned char *adaptor_sig162, const rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *msg32, const rustsecp256k1zkp_v0_5_0_pubkey *enckey) { - rustsecp256k1zkp_v0_5_0_scalar dleq_proof_s, dleq_proof_e; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_ge pubkey_ge; - rustsecp256k1zkp_v0_5_0_ge r, rp; - rustsecp256k1zkp_v0_5_0_scalar sp; - rustsecp256k1zkp_v0_5_0_scalar sigr; - rustsecp256k1zkp_v0_5_0_ge enckey_ge; - rustsecp256k1zkp_v0_5_0_gej derived_rp; - rustsecp256k1zkp_v0_5_0_scalar sn, u1, u2; - rustsecp256k1zkp_v0_5_0_gej pubkeyj; +int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *adaptor_sig162, const rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *msg32, const rustsecp256k1zkp_v0_6_0_pubkey *enckey) { + rustsecp256k1zkp_v0_6_0_scalar dleq_proof_s, dleq_proof_e; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_ge pubkey_ge; + rustsecp256k1zkp_v0_6_0_ge r, rp; + rustsecp256k1zkp_v0_6_0_scalar sp; + rustsecp256k1zkp_v0_6_0_scalar sigr; + rustsecp256k1zkp_v0_6_0_ge enckey_ge; + rustsecp256k1zkp_v0_6_0_gej derived_rp; + rustsecp256k1zkp_v0_6_0_scalar sn, u1, u2; + rustsecp256k1zkp_v0_6_0_gej pubkeyj; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(adaptor_sig162 != NULL); ARG_CHECK(pubkey != NULL); ARG_CHECK(msg32 != NULL); ARG_CHECK(enckey != NULL); - if (!rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig162)) { + if (!rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig162)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &enckey_ge, enckey)) { + if (!rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &enckey_ge, enckey)) { return 0; } /* DLEQ_verify((R', Y, R), dleq_proof) */ - if(!rustsecp256k1zkp_v0_5_0_dleq_verify(&ctx->ecmult_ctx, &dleq_proof_s, &dleq_proof_e, &rp, &enckey_ge, &r)) { + if(!rustsecp256k1zkp_v0_6_0_dleq_verify(&ctx->ecmult_ctx, &dleq_proof_s, &dleq_proof_e, &rp, &enckey_ge, &r)) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&msg, msg32, NULL); - if (!rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &pubkey_ge, pubkey)) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&msg, msg32, NULL); + if (!rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &pubkey_ge, pubkey)) { return 0; } /* return R' == s'ā»Ā¹(m * G + R.x * X) */ - rustsecp256k1zkp_v0_5_0_scalar_inverse_var(&sn, &sp); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u1, &sn, &msg); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u2, &sn, &sigr); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pubkeyj, &pubkey_ge); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &derived_rp, &pubkeyj, &u2, &u1); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&derived_rp)) { + rustsecp256k1zkp_v0_6_0_scalar_inverse_var(&sn, &sp); + rustsecp256k1zkp_v0_6_0_scalar_mul(&u1, &sn, &msg); + rustsecp256k1zkp_v0_6_0_scalar_mul(&u2, &sn, &sigr); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pubkeyj, &pubkey_ge); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &derived_rp, &pubkeyj, &u2, &u1); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&derived_rp)) { return 0; } - rustsecp256k1zkp_v0_5_0_gej_neg(&derived_rp, &derived_rp); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&derived_rp, &derived_rp, &rp, NULL); - return rustsecp256k1zkp_v0_5_0_gej_is_infinity(&derived_rp); + rustsecp256k1zkp_v0_6_0_gej_neg(&derived_rp, &derived_rp); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&derived_rp, &derived_rp, &rp, NULL); + return rustsecp256k1zkp_v0_6_0_gej_is_infinity(&derived_rp); } -int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, const unsigned char *deckey32, const unsigned char *adaptor_sig162) { - rustsecp256k1zkp_v0_5_0_scalar deckey; - rustsecp256k1zkp_v0_5_0_scalar sp; - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_scalar sigr; +int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *deckey32, const unsigned char *adaptor_sig162) { + rustsecp256k1zkp_v0_6_0_scalar deckey; + rustsecp256k1zkp_v0_6_0_scalar sp; + rustsecp256k1zkp_v0_6_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar sigr; int overflow; int high; int ret = 1; @@ -285,79 +285,79 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(const rustsecp256k1zkp_v0_5_0_ ARG_CHECK(deckey32 != NULL); ARG_CHECK(adaptor_sig162 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sp); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&deckey, deckey32, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sp); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&deckey, deckey32, &overflow); ret &= !overflow; - ret &= rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, &sp, NULL, NULL, adaptor_sig162); - ret &= !rustsecp256k1zkp_v0_5_0_scalar_is_zero(&deckey); - rustsecp256k1zkp_v0_5_0_scalar_inverse(&s, &deckey); + ret &= rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, &sp, NULL, NULL, adaptor_sig162); + ret &= !rustsecp256k1zkp_v0_6_0_scalar_is_zero(&deckey); + rustsecp256k1zkp_v0_6_0_scalar_inverse(&s, &deckey); /* s = s' * yā»Ā¹ */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&s, &s, &sp); - high = rustsecp256k1zkp_v0_5_0_scalar_is_high(&s); - rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&s, high); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sig, &sigr, &s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&s, &s, &sp); + high = rustsecp256k1zkp_v0_6_0_scalar_is_high(&s); + rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&s, high); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sig, &sigr, &s); - rustsecp256k1zkp_v0_5_0_memczero(&sig->data[0], 64, !ret); - rustsecp256k1zkp_v0_5_0_scalar_clear(&deckey); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sp); - rustsecp256k1zkp_v0_5_0_scalar_clear(&s); + rustsecp256k1zkp_v0_6_0_memczero(&sig->data[0], 64, !ret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&deckey); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sp); + rustsecp256k1zkp_v0_6_0_scalar_clear(&s); return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *deckey32, const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, const unsigned char *adaptor_sig162, const rustsecp256k1zkp_v0_5_0_pubkey *enckey) { - rustsecp256k1zkp_v0_5_0_scalar sp, adaptor_sigr; - rustsecp256k1zkp_v0_5_0_scalar s, r; - rustsecp256k1zkp_v0_5_0_scalar deckey; - rustsecp256k1zkp_v0_5_0_ge enckey_expected_ge; - rustsecp256k1zkp_v0_5_0_gej enckey_expected_gej; +int rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *deckey32, const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *adaptor_sig162, const rustsecp256k1zkp_v0_6_0_pubkey *enckey) { + rustsecp256k1zkp_v0_6_0_scalar sp, adaptor_sigr; + rustsecp256k1zkp_v0_6_0_scalar s, r; + rustsecp256k1zkp_v0_6_0_scalar deckey; + rustsecp256k1zkp_v0_6_0_ge enckey_expected_ge; + rustsecp256k1zkp_v0_6_0_gej enckey_expected_gej; unsigned char enckey33[33]; unsigned char enckey_expected33[33]; size_t size = 33; int ret = 1; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(deckey32 != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(adaptor_sig162 != NULL); ARG_CHECK(enckey != NULL); - if (!rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, &adaptor_sigr, NULL, &sp, NULL, NULL, adaptor_sig162)) { + if (!rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, &adaptor_sigr, NULL, &sp, NULL, NULL, adaptor_sig162)) { return 0; } - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sig); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sig); /* Check that we're not looking at some unrelated signature */ - ret &= rustsecp256k1zkp_v0_5_0_scalar_eq(&adaptor_sigr, &r); + ret &= rustsecp256k1zkp_v0_6_0_scalar_eq(&adaptor_sigr, &r); /* y = sā»Ā¹ * s' */ - ret &= !rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s); - rustsecp256k1zkp_v0_5_0_scalar_inverse(&deckey, &s); - rustsecp256k1zkp_v0_5_0_scalar_mul(&deckey, &deckey, &sp); + ret &= !rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s); + rustsecp256k1zkp_v0_6_0_scalar_inverse(&deckey, &s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&deckey, &deckey, &sp); /* Deal with ECDSA malleability */ - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &enckey_expected_gej, &deckey); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&enckey_expected_ge, &enckey_expected_gej); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &enckey_expected_gej, &deckey); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&enckey_expected_ge, &enckey_expected_gej); /* We declassify non-secret enckey_expected_ge to allow using it as a * branch point. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &enckey_expected_ge, sizeof(enckey_expected_ge)); - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&enckey_expected_ge, enckey_expected33, &size, SECP256K1_EC_COMPRESSED)) { + rustsecp256k1zkp_v0_6_0_declassify(ctx, &enckey_expected_ge, sizeof(enckey_expected_ge)); + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&enckey_expected_ge, enckey_expected33, &size, SECP256K1_EC_COMPRESSED)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, enckey33, &size, enckey, SECP256K1_EC_COMPRESSED)) { + if (!rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, enckey33, &size, enckey, SECP256K1_EC_COMPRESSED)) { return 0; } - if (rustsecp256k1zkp_v0_5_0_memcmp_var(&enckey_expected33[1], &enckey33[1], 32) != 0) { + if (rustsecp256k1zkp_v0_6_0_memcmp_var(&enckey_expected33[1], &enckey33[1], 32) != 0) { return 0; } if (enckey_expected33[0] != enckey33[0]) { /* try Y_implied == -Y */ - rustsecp256k1zkp_v0_5_0_scalar_negate(&deckey, &deckey); + rustsecp256k1zkp_v0_6_0_scalar_negate(&deckey, &deckey); } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(deckey32, &deckey); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(deckey32, &deckey); - rustsecp256k1zkp_v0_5_0_scalar_clear(&deckey); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sp); - rustsecp256k1zkp_v0_5_0_scalar_clear(&s); + rustsecp256k1zkp_v0_6_0_scalar_clear(&deckey); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sp); + rustsecp256k1zkp_v0_6_0_scalar_clear(&s); return ret; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/tests_impl.h index 8db52cd2..4c40f81b 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_adaptor/tests_impl.h @@ -3,33 +3,33 @@ #include "include/secp256k1_ecdsa_adaptor.h" -void rand_scalar(rustsecp256k1zkp_v0_5_0_scalar *scalar) { +void rand_scalar(rustsecp256k1zkp_v0_6_0_scalar *scalar) { unsigned char buf32[32]; - rustsecp256k1zkp_v0_5_0_testrand256(buf32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(scalar, buf32, NULL); + rustsecp256k1zkp_v0_6_0_testrand256(buf32); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(scalar, buf32, NULL); } -void rand_point(rustsecp256k1zkp_v0_5_0_ge *point) { - rustsecp256k1zkp_v0_5_0_scalar x; - rustsecp256k1zkp_v0_5_0_gej pointj; +void rand_point(rustsecp256k1zkp_v0_6_0_ge *point) { + rustsecp256k1zkp_v0_6_0_scalar x; + rustsecp256k1zkp_v0_6_0_gej pointj; rand_scalar(&x); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pointj, &x); - rustsecp256k1zkp_v0_5_0_ge_set_gej(point, &pointj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pointj, &x); + rustsecp256k1zkp_v0_6_0_ge_set_gej(point, &pointj); } void dleq_nonce_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) { - rustsecp256k1zkp_v0_5_0_scalar k1, k2; + rustsecp256k1zkp_v0_6_0_scalar k1, k2; - CHECK(rustsecp256k1zkp_v0_5_0_dleq_nonce(&k1, args[0], args[1], args[2], args[3], NULL, args[4]) == 1); - rustsecp256k1zkp_v0_5_0_testrand_flip(args[n_flip], n_bytes); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_nonce(&k2, args[0], args[1], args[2], args[3], NULL, args[4]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&k1, &k2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_nonce(&k1, args[0], args[1], args[2], args[3], NULL, args[4]) == 1); + rustsecp256k1zkp_v0_6_0_testrand_flip(args[n_flip], n_bytes); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_nonce(&k2, args[0], args[1], args[2], args[3], NULL, args[4]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&k1, &k2) == 0); } void dleq_tests(void) { - rustsecp256k1zkp_v0_5_0_scalar s, e, sk, k; - rustsecp256k1zkp_v0_5_0_ge gen2, p1, p2; + rustsecp256k1zkp_v0_6_0_scalar s, e, sk, k; + rustsecp256k1zkp_v0_6_0_ge gen2, p1, p2; unsigned char *args[5]; unsigned char sk32[32]; unsigned char gen2_33[33]; @@ -41,43 +41,43 @@ void dleq_tests(void) { rand_point(&gen2); rand_scalar(&sk); - rustsecp256k1zkp_v0_5_0_dleq_pair(&ctx->ecmult_gen_ctx, &p1, &p2, &sk, &gen2); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p2, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p1, &gen2, &p2) == 1); + rustsecp256k1zkp_v0_6_0_dleq_pair(&ctx->ecmult_gen_ctx, &p1, &p2, &sk, &gen2); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p1, &gen2, &p2) == 1); { - rustsecp256k1zkp_v0_5_0_scalar tmp; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&tmp, 1); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_verify(&ctx->ecmult_ctx, &tmp, &e, &p1, &gen2, &p2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_verify(&ctx->ecmult_ctx, &s, &tmp, &p1, &gen2, &p2) == 0); + rustsecp256k1zkp_v0_6_0_scalar tmp; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&tmp, 1); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_verify(&ctx->ecmult_ctx, &tmp, &e, &p1, &gen2, &p2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_verify(&ctx->ecmult_ctx, &s, &tmp, &p1, &gen2, &p2) == 0); } { - rustsecp256k1zkp_v0_5_0_ge p_tmp; + rustsecp256k1zkp_v0_6_0_ge p_tmp; rand_point(&p_tmp); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p_tmp, &gen2, &p2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p1, &p_tmp, &p2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p1, &gen2, &p_tmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p_tmp, &gen2, &p2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p1, &p_tmp, &p2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_verify(&ctx->ecmult_ctx, &s, &e, &p1, &gen2, &p_tmp) == 0); } { - rustsecp256k1zkp_v0_5_0_ge p_inf; - rustsecp256k1zkp_v0_5_0_ge_set_infinity(&p_inf); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_prove(ctx, &s, &e, &sk, &p_inf, &p1, &p2, NULL, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_prove(ctx, &s, &e, &sk, &gen2, &p_inf, &p2, NULL, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p_inf, NULL, NULL) == 0); + rustsecp256k1zkp_v0_6_0_ge p_inf; + rustsecp256k1zkp_v0_6_0_ge_set_infinity(&p_inf); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_prove(ctx, &s, &e, &sk, &p_inf, &p1, &p2, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_prove(ctx, &s, &e, &sk, &gen2, &p_inf, &p2, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p_inf, NULL, NULL) == 0); } /* Nonce tests */ - rustsecp256k1zkp_v0_5_0_scalar_get_b32(sk32, &sk); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&gen2, gen2_33, &pubkey_size, 1)); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&p1, p1_33, &pubkey_size, 1)); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&p2, p2_33, &pubkey_size, 1)); - CHECK(rustsecp256k1zkp_v0_5_0_dleq_nonce(&k, sk32, gen2_33, p1_33, p2_33, NULL, NULL) == 1); - - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, sk32, sizeof(sk32)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, gen2_33, sizeof(gen2_33)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, p1_33, sizeof(p1_33)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, p2_33, sizeof(p2_33)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, aux_rand, sizeof(aux_rand)); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(sk32, &sk); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&gen2, gen2_33, &pubkey_size, 1)); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&p1, p1_33, &pubkey_size, 1)); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&p2, p2_33, &pubkey_size, 1)); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_nonce(&k, sk32, gen2_33, p1_33, p2_33, NULL, NULL) == 1); + + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, sk32, sizeof(sk32)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, gen2_33, sizeof(gen2_33)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, p1_33, sizeof(p1_33)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, p2_33, sizeof(p2_33)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, aux_rand, sizeof(aux_rand)); /* Check that a bitflip in an argument results in different nonces. */ args[0] = sk32; @@ -97,56 +97,56 @@ void dleq_tests(void) { } /* NULL aux_rand argument is allowed. */ - CHECK(rustsecp256k1zkp_v0_5_0_dleq_nonce(&k, sk32, gen2_33, p1_33, p2_33, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_dleq_nonce(&k, sk32, gen2_33, p1_33, p2_33, NULL, NULL) == 1); } void rand_flip_bit(unsigned char *array, size_t n) { - array[rustsecp256k1zkp_v0_5_0_testrand_int(n)] ^= 1 << rustsecp256k1zkp_v0_5_0_testrand_int(8); + array[rustsecp256k1zkp_v0_6_0_testrand_int(n)] ^= 1 << rustsecp256k1zkp_v0_6_0_testrand_int(8); } /* Helper function for test_ecdsa_adaptor_spec_vectors * Checks that the adaptor signature is valid for the public and encryption keys. */ void test_ecdsa_adaptor_spec_vectors_check_verify(const unsigned char *adaptor_sig162, const unsigned char *msg32, const unsigned char *pubkey33, const unsigned char *encryption_key33, int expected) { - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_ge pubkey_ge; - rustsecp256k1zkp_v0_5_0_pubkey encryption_key; - rustsecp256k1zkp_v0_5_0_ge encryption_key_ge; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_ge pubkey_ge; + rustsecp256k1zkp_v0_6_0_pubkey encryption_key; + rustsecp256k1zkp_v0_6_0_ge encryption_key_ge; - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&encryption_key_ge, encryption_key33, 33) == 1); - rustsecp256k1zkp_v0_5_0_pubkey_save(&encryption_key, &encryption_key_ge); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&pubkey_ge, pubkey33, 33) == 1); - rustsecp256k1zkp_v0_5_0_pubkey_save(&pubkey, &pubkey_ge); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&encryption_key_ge, encryption_key33, 33) == 1); + rustsecp256k1zkp_v0_6_0_pubkey_save(&encryption_key, &encryption_key_ge); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&pubkey_ge, pubkey33, 33) == 1); + rustsecp256k1zkp_v0_6_0_pubkey_save(&pubkey, &pubkey_ge); - CHECK(expected == rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, adaptor_sig162, &pubkey, msg32, &encryption_key)); + CHECK(expected == rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, adaptor_sig162, &pubkey, msg32, &encryption_key)); } /* Helper function for test_ecdsa_adaptor_spec_vectors * Checks that the signature can be decrypted from the adaptor signature and the decryption key. */ void test_ecdsa_adaptor_spec_vectors_check_decrypt(const unsigned char *adaptor_sig162, const unsigned char *decryption_key32, const unsigned char *signature64, int expected) { unsigned char signature[64]; - rustsecp256k1zkp_v0_5_0_ecdsa_signature s; + rustsecp256k1zkp_v0_6_0_ecdsa_signature s; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(ctx, &s, decryption_key32, adaptor_sig162) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, signature, &s) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(ctx, &s, decryption_key32, adaptor_sig162) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, signature, &s) == 1); - CHECK(expected == !(rustsecp256k1zkp_v0_5_0_memcmp_var(signature, signature64, 64))); + CHECK(expected == !(rustsecp256k1zkp_v0_6_0_memcmp_var(signature, signature64, 64))); } /* Helper function for test_ecdsa_adaptor_spec_vectors * Checks that the decryption key can be recovered from the adaptor signature, encryption key, and the signature. */ void test_ecdsa_adaptor_spec_vectors_check_recover(const unsigned char *adaptor_sig162, const unsigned char *encryption_key33, const unsigned char *decryption_key32, const unsigned char *signature64, int expected) { unsigned char deckey32[32] = { 0 }; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; - rustsecp256k1zkp_v0_5_0_pubkey encryption_key; - rustsecp256k1zkp_v0_5_0_ge encryption_key_ge; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey encryption_key; + rustsecp256k1zkp_v0_6_0_ge encryption_key_ge; - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&encryption_key_ge, encryption_key33, 33) == 1); - rustsecp256k1zkp_v0_5_0_pubkey_save(&encryption_key, &encryption_key_ge); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&encryption_key_ge, encryption_key33, 33) == 1); + rustsecp256k1zkp_v0_6_0_pubkey_save(&encryption_key, &encryption_key_ge); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, &sig, signature64) == 1); - CHECK(expected == rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(ctx, deckey32, &sig, adaptor_sig162, &encryption_key)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, &sig, signature64) == 1); + CHECK(expected == rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(ctx, deckey32, &sig, adaptor_sig162, &encryption_key)); if (decryption_key32 != NULL) { - CHECK(expected == !(rustsecp256k1zkp_v0_5_0_memcmp_var(deckey32, decryption_key32, 32))); + CHECK(expected == !(rustsecp256k1zkp_v0_6_0_memcmp_var(deckey32, decryption_key32, 32))); } } @@ -154,15 +154,15 @@ void test_ecdsa_adaptor_spec_vectors_check_recover(const unsigned char *adaptor_ * Checks deserialization and serialization. */ void test_ecdsa_adaptor_spec_vectors_check_serialization(const unsigned char *adaptor_sig162, int expected) { unsigned char buf[162]; - rustsecp256k1zkp_v0_5_0_scalar dleq_proof_s, dleq_proof_e; - rustsecp256k1zkp_v0_5_0_ge r, rp; - rustsecp256k1zkp_v0_5_0_scalar sp; - rustsecp256k1zkp_v0_5_0_scalar sigr; + rustsecp256k1zkp_v0_6_0_scalar dleq_proof_s, dleq_proof_e; + rustsecp256k1zkp_v0_6_0_ge r, rp; + rustsecp256k1zkp_v0_6_0_scalar sp; + rustsecp256k1zkp_v0_6_0_scalar sigr; - CHECK(expected == rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig162)); + CHECK(expected == rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig162)); if (expected == 1) { - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_serialize(buf, &r, &rp, &sp, &dleq_proof_e, &dleq_proof_s) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(buf, adaptor_sig162, 162) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_serialize(buf, &r, &rp, &sp, &dleq_proof_e, &dleq_proof_s) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(buf, adaptor_sig162, 162) == 0); } } @@ -713,20 +713,20 @@ static int ecdsa_adaptor_nonce_function_overflowing(unsigned char *nonce32, cons void nonce_function_ecdsa_adaptor_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes, size_t algolen) { unsigned char nonces[2][32]; CHECK(nonce_function_ecdsa_adaptor(nonces[0], args[0], args[1], args[2], args[3], algolen, args[4]) == 1); - rustsecp256k1zkp_v0_5_0_testrand_flip(args[n_flip], n_bytes); + rustsecp256k1zkp_v0_6_0_testrand_flip(args[n_flip], n_bytes); CHECK(nonce_function_ecdsa_adaptor(nonces[1], args[0], args[1], args[2], args[3], algolen, args[4]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonces[0], nonces[1], 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonces[0], nonces[1], 32) != 0); } /* Tests for the equality of two sha256 structs. This function only produces a * correct result if an integer multiple of 64 many bytes have been written * into the hash functions. */ -void ecdsa_adaptor_test_sha256_eq(const rustsecp256k1zkp_v0_5_0_sha256 *sha1, const rustsecp256k1zkp_v0_5_0_sha256 *sha2) { +void ecdsa_adaptor_test_sha256_eq(const rustsecp256k1zkp_v0_6_0_sha256 *sha1, const rustsecp256k1zkp_v0_6_0_sha256 *sha2) { /* Is buffer fully consumed? */ CHECK((sha1->bytes & 0x3F) == 0); CHECK(sha1->bytes == sha2->bytes); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0); } void run_nonce_function_ecdsa_adaptor_tests(void) { @@ -735,8 +735,8 @@ void run_nonce_function_ecdsa_adaptor_tests(void) { unsigned char algo[16] = "ECDSAadaptor/non"; size_t algolen = sizeof(algo); unsigned char dleq_tag[4] = "DLEQ"; - rustsecp256k1zkp_v0_5_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_sha256 sha_optimized; + rustsecp256k1zkp_v0_6_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha_optimized; unsigned char nonce[32]; unsigned char msg[32]; unsigned char key[32]; @@ -746,30 +746,30 @@ void run_nonce_function_ecdsa_adaptor_tests(void) { int i; /* Check that hash initialized by - * rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged has the expected + * rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged has the expected * state. */ - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, tag, sizeof(tag)); - rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, tag, sizeof(tag)); + rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged(&sha_optimized); ecdsa_adaptor_test_sha256_eq(&sha, &sha_optimized); /* Check that hash initialized by - * rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux has the expected + * rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux has the expected * state. */ - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag)); - rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag)); + rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor_sha256_tagged_aux(&sha_optimized); ecdsa_adaptor_test_sha256_eq(&sha, &sha_optimized); /* Check that hash initialized by - * rustsecp256k1zkp_v0_5_0_nonce_function_dleq_sha256_tagged_aux has the expected + * rustsecp256k1zkp_v0_6_0_nonce_function_dleq_sha256_tagged_aux has the expected * state. */ - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, dleq_tag, sizeof(dleq_tag)); - rustsecp256k1zkp_v0_5_0_nonce_function_dleq_sha256_tagged(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, dleq_tag, sizeof(dleq_tag)); + rustsecp256k1zkp_v0_6_0_nonce_function_dleq_sha256_tagged(&sha_optimized); ecdsa_adaptor_test_sha256_eq(&sha, &sha_optimized); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, msg, sizeof(msg)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, key, sizeof(key)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, pk, sizeof(pk)); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, aux_rand, sizeof(aux_rand)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, msg, sizeof(msg)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, key, sizeof(key)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, pk, sizeof(pk)); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, aux_rand, sizeof(aux_rand)); /* Check that a bitflip in an argument results in different nonces. */ args[0] = msg; @@ -802,11 +802,11 @@ void run_nonce_function_ecdsa_adaptor_tests(void) { /* Different algolen gives different nonce */ for (i = 0; i < count; i++) { unsigned char nonce2[32]; - uint32_t offset = rustsecp256k1zkp_v0_5_0_testrand_int(algolen - 1); + uint32_t offset = rustsecp256k1zkp_v0_6_0_testrand_int(algolen - 1); size_t algolen_tmp = (algolen + offset) % algolen; CHECK(nonce_function_ecdsa_adaptor(nonce2, msg, key, pk, algo, algolen_tmp, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonce, nonce2, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonce, nonce2, 32) != 0); } /* NULL aux_rand argument is allowed. */ @@ -814,234 +814,234 @@ void run_nonce_function_ecdsa_adaptor_tests(void) { } void test_ecdsa_adaptor_api(void) { - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_pubkey enckey; - rustsecp256k1zkp_v0_5_0_pubkey zero_pk; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey enckey; + rustsecp256k1zkp_v0_6_0_pubkey zero_pk; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; unsigned char sk[32]; unsigned char msg[32]; unsigned char asig[162]; unsigned char deckey[32]; /** setup **/ - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_context *both = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *both = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); int ecount; - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); - - rustsecp256k1zkp_v0_5_0_testrand256(sk); - rustsecp256k1zkp_v0_5_0_testrand256(msg); - rustsecp256k1zkp_v0_5_0_testrand256(deckey); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &enckey, deckey) == 1); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); + + rustsecp256k1zkp_v0_6_0_testrand256(sk); + rustsecp256k1zkp_v0_6_0_testrand256(msg); + rustsecp256k1zkp_v0_6_0_testrand256(deckey); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &enckey, deckey) == 1); memset(&zero_pk, 0, sizeof(zero_pk)); /** main test body **/ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(none, asig, sk, &enckey, msg, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(none, asig, sk, &enckey, msg, NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(vrfy, asig, sk, &enckey, msg, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(vrfy, asig, sk, &enckey, msg, NULL, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(sign, asig, sk, &enckey, msg, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(sign, asig, sk, &enckey, msg, NULL, NULL) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(sign, NULL, sk, &enckey, msg, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(sign, NULL, sk, &enckey, msg, NULL, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(sign, asig, sk, &enckey, NULL, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(sign, asig, sk, &enckey, NULL, NULL, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(sign, asig, NULL, &enckey, msg, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(sign, asig, NULL, &enckey, msg, NULL, NULL) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(sign, asig, sk, NULL, msg, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(sign, asig, sk, NULL, msg, NULL, NULL) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(sign, asig, sk, &zero_pk, msg, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(sign, asig, sk, &zero_pk, msg, NULL, NULL) == 0); CHECK(ecount == 7); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(sign, asig, sk, &enckey, msg, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(none, asig, &pubkey, msg, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(sign, asig, sk, &enckey, msg, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(none, asig, &pubkey, msg, &enckey) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(sign, asig, &pubkey, msg, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(sign, asig, &pubkey, msg, &enckey) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, msg, &enckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, msg, &enckey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(vrfy, NULL, &pubkey, msg, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(vrfy, NULL, &pubkey, msg, &enckey) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, NULL, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, NULL, &enckey) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, msg, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, msg, NULL) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(vrfy, asig, NULL, msg, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(vrfy, asig, NULL, msg, &enckey) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(vrfy, asig, &zero_pk, msg, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(vrfy, asig, &zero_pk, msg, &enckey) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, msg, &zero_pk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(vrfy, asig, &pubkey, msg, &zero_pk) == 0); CHECK(ecount == 8); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(none, &sig, deckey, asig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(sign, &sig, deckey, asig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(vrfy, &sig, deckey, asig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(both, &sig, deckey, asig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(both, NULL, deckey, asig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(none, &sig, deckey, asig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(sign, &sig, deckey, asig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(vrfy, &sig, deckey, asig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(both, &sig, deckey, asig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(both, NULL, deckey, asig) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(both, &sig, NULL, asig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(both, &sig, NULL, asig) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(both, &sig, deckey, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(both, &sig, deckey, NULL) == 0); CHECK(ecount == 3); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(both, &sig, deckey, asig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(none, deckey, &sig, asig, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(both, &sig, deckey, asig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(none, deckey, &sig, asig, &enckey) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(vrfy, deckey, &sig, asig, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(vrfy, deckey, &sig, asig, &enckey) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(sign, deckey, &sig, asig, &enckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(sign, deckey, &sig, asig, &enckey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(sign, NULL, &sig, asig, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(sign, NULL, &sig, asig, &enckey) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(sign, deckey, NULL, asig, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(sign, deckey, NULL, asig, &enckey) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(sign, deckey, &sig, NULL, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(sign, deckey, &sig, NULL, &enckey) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(sign, deckey, &sig, asig, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(sign, deckey, &sig, asig, NULL) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(sign, deckey, &sig, asig, &zero_pk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(sign, deckey, &sig, asig, &zero_pk) == 0); CHECK(ecount == 7); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_destroy(both); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(both); } void adaptor_tests(void) { unsigned char seckey[32]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; unsigned char msg[32]; unsigned char deckey[32]; - rustsecp256k1zkp_v0_5_0_pubkey enckey; + rustsecp256k1zkp_v0_6_0_pubkey enckey; unsigned char adaptor_sig[162]; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; unsigned char zeros162[162] = { 0 }; unsigned char zeros64[64] = { 0 }; unsigned char big[32]; - rustsecp256k1zkp_v0_5_0_testrand256(seckey); - rustsecp256k1zkp_v0_5_0_testrand256(msg); - rustsecp256k1zkp_v0_5_0_testrand256(deckey); + rustsecp256k1zkp_v0_6_0_testrand256(seckey); + rustsecp256k1zkp_v0_6_0_testrand256(msg); + rustsecp256k1zkp_v0_6_0_testrand256(deckey); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, seckey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &enckey, deckey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, seckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &enckey, deckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, NULL, NULL) == 1); { /* Test overflowing seckey */ memset(big, 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, big, &enckey, msg, NULL, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, big, &enckey, msg, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); /* Test different nonce functions */ memset(adaptor_sig, 1, sizeof(adaptor_sig)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_failing, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_failing, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); memset(&adaptor_sig, 1, sizeof(adaptor_sig)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_0, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_overflowing, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_0, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_overflowing, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) != 0); } { /* Test adaptor_sig_serialize roundtrip */ - rustsecp256k1zkp_v0_5_0_ge r, rp; - rustsecp256k1zkp_v0_5_0_scalar sigr; - rustsecp256k1zkp_v0_5_0_scalar sp; - rustsecp256k1zkp_v0_5_0_scalar dleq_proof_s, dleq_proof_e; - rustsecp256k1zkp_v0_5_0_ge p_inf; + rustsecp256k1zkp_v0_6_0_ge r, rp; + rustsecp256k1zkp_v0_6_0_scalar sigr; + rustsecp256k1zkp_v0_6_0_scalar sp; + rustsecp256k1zkp_v0_6_0_scalar dleq_proof_s, dleq_proof_e; + rustsecp256k1zkp_v0_6_0_ge p_inf; unsigned char adaptor_sig_tmp[162]; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_serialize(adaptor_sig_tmp, &r, &rp, &sp, &dleq_proof_e, &dleq_proof_s) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_serialize(adaptor_sig_tmp, &r, &rp, &sp, &dleq_proof_e, &dleq_proof_s) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)) == 0); /* Test adaptor_sig_serialize points at infinity */ - rustsecp256k1zkp_v0_5_0_ge_set_infinity(&p_inf); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_serialize(adaptor_sig_tmp, &p_inf, &rp, &sp, &dleq_proof_e, &dleq_proof_s) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_serialize(adaptor_sig_tmp, &r, &p_inf, &sp, &dleq_proof_e, &dleq_proof_s) == 0); + rustsecp256k1zkp_v0_6_0_ge_set_infinity(&p_inf); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_serialize(adaptor_sig_tmp, &p_inf, &rp, &sp, &dleq_proof_e, &dleq_proof_s) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_serialize(adaptor_sig_tmp, &r, &p_inf, &sp, &dleq_proof_e, &dleq_proof_s) == 0); } { /* Test adaptor_sig_deserialize */ - rustsecp256k1zkp_v0_5_0_ge r, rp; - rustsecp256k1zkp_v0_5_0_scalar sigr; - rustsecp256k1zkp_v0_5_0_scalar sp; - rustsecp256k1zkp_v0_5_0_scalar dleq_proof_s, dleq_proof_e; + rustsecp256k1zkp_v0_6_0_ge r, rp; + rustsecp256k1zkp_v0_6_0_scalar sigr; + rustsecp256k1zkp_v0_6_0_scalar sp; + rustsecp256k1zkp_v0_6_0_scalar dleq_proof_s, dleq_proof_e; unsigned char adaptor_sig_tmp[162]; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, &rp, &sp, &dleq_proof_e, &dleq_proof_s, adaptor_sig) == 1); /* r */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, NULL, NULL, NULL, NULL, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, NULL, NULL, NULL, NULL, adaptor_sig) == 1); memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memset(&adaptor_sig_tmp[0], 0xFF, 33); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, NULL, NULL, NULL, NULL, adaptor_sig_tmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(&r, &sigr, NULL, NULL, NULL, NULL, adaptor_sig_tmp) == 0); /* sigr */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig) == 1); memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memset(&adaptor_sig_tmp[1], 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig_tmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig_tmp) == 1); memset(&adaptor_sig_tmp[1], 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig_tmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig_tmp) == 0); /* rp */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, &rp, NULL, NULL, NULL, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, &rp, NULL, NULL, NULL, adaptor_sig) == 1); memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memset(&adaptor_sig_tmp[33], 0xFF, 33); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, &rp, NULL, NULL, NULL, adaptor_sig_tmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, &rp, NULL, NULL, NULL, adaptor_sig_tmp) == 0); /* sp */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, &sp, NULL, NULL, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, &sp, NULL, NULL, adaptor_sig) == 1); memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memset(&adaptor_sig_tmp[66], 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, &sp, NULL, NULL, adaptor_sig_tmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, &sp, NULL, NULL, adaptor_sig_tmp) == 0); /* dleq_proof_e */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, &dleq_proof_e, NULL, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, &dleq_proof_e, NULL, adaptor_sig) == 1); memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memset(&adaptor_sig_tmp[98], 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, &dleq_proof_e, NULL, adaptor_sig_tmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, &dleq_proof_e, NULL, adaptor_sig_tmp) == 1); /* dleq_proof_s */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, NULL, &dleq_proof_s, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, NULL, &dleq_proof_s, adaptor_sig) == 1); memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memset(&adaptor_sig_tmp[130], 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, NULL, &dleq_proof_s, adaptor_sig_tmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, NULL, NULL, NULL, NULL, &dleq_proof_s, adaptor_sig_tmp) == 0); } /* Test adaptor_sig_verify */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &enckey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &enckey, msg, &enckey) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &enckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &enckey, msg, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &pubkey) == 0); { unsigned char adaptor_sig_tmp[65]; memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); rand_flip_bit(&adaptor_sig_tmp[1], sizeof(adaptor_sig_tmp) - 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0); } { unsigned char msg_tmp[32]; memcpy(msg_tmp, msg, sizeof(msg_tmp)); rand_flip_bit(msg_tmp, sizeof(msg_tmp)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg_tmp, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg_tmp, &enckey) == 0); } { /* Verification must check that the derived R' is not equal to the point at @@ -1069,40 +1069,40 @@ void adaptor_tests(void) { unsigned char seckey_tmp[32] = { 0 }; unsigned char msg_tmp[32]; unsigned char adaptor_sig_tmp[162]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey_tmp; - rustsecp256k1zkp_v0_5_0_scalar sigr, t, m; + rustsecp256k1zkp_v0_6_0_pubkey pubkey_tmp; + rustsecp256k1zkp_v0_6_0_scalar sigr, t, m; /* m := t * sigr */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig) == 1); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&t, target, NULL); - rustsecp256k1zkp_v0_5_0_scalar_mul(&m, &t, &sigr); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(msg_tmp, &m); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_sig_deserialize(NULL, &sigr, NULL, NULL, NULL, NULL, adaptor_sig) == 1); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&t, target, NULL); + rustsecp256k1zkp_v0_6_0_scalar_mul(&m, &t, &sigr); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(msg_tmp, &m); /* X := G */ seckey_tmp[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey_tmp, seckey_tmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey_tmp, seckey_tmp) == 1); /* sp := sigr */ memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memcpy(&adaptor_sig_tmp[66], &adaptor_sig_tmp[1], 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey_tmp, msg_tmp, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey_tmp, msg_tmp, &enckey) == 0); } /* Test decryption */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(ctx, &sig, deckey, adaptor_sig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(ctx, &sig, deckey, adaptor_sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); { /* Test overflowing decryption key */ - rustsecp256k1zkp_v0_5_0_ecdsa_signature s; + rustsecp256k1zkp_v0_6_0_ecdsa_signature s; memset(big, 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(ctx, &s, big, adaptor_sig) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&s.data[0], zeros64, sizeof(&s.data[0])) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(ctx, &s, big, adaptor_sig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&s.data[0], zeros64, sizeof(&s.data[0])) == 0); } { /* Test key recover */ - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig_tmp; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig_tmp; unsigned char decryption_key_tmp[32]; unsigned char adaptor_sig_tmp[162]; const unsigned char order_le[32] = { @@ -1112,18 +1112,18 @@ void adaptor_tests(void) { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig, &enckey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(deckey, decryption_key_tmp, sizeof(deckey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig, &enckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(deckey, decryption_key_tmp, sizeof(deckey)) == 0); /* Test failed sp deserialization */ memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); memset(&adaptor_sig_tmp[66], 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig_tmp, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig_tmp, &enckey) == 0); /* Test failed enckey_expected serialization */ memcpy(sig_tmp.data, sig.data, 32); memcpy(&sig_tmp.data[32], order_le, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig_tmp, adaptor_sig, &enckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig_tmp, adaptor_sig, &enckey) == 0); } } @@ -1136,69 +1136,69 @@ void multi_hop_lock_tests(void) { unsigned char buf[32]; unsigned char asig_ab[162]; unsigned char asig_bc[162]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey_pop; - rustsecp256k1zkp_v0_5_0_pubkey pubkey_a, pubkey_b; - rustsecp256k1zkp_v0_5_0_pubkey l, r; - rustsecp256k1zkp_v0_5_0_ge l_ge, r_ge; - rustsecp256k1zkp_v0_5_0_scalar t1, t2, tp; - rustsecp256k1zkp_v0_5_0_scalar deckey; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig_ab, sig_bc; + rustsecp256k1zkp_v0_6_0_pubkey pubkey_pop; + rustsecp256k1zkp_v0_6_0_pubkey pubkey_a, pubkey_b; + rustsecp256k1zkp_v0_6_0_pubkey l, r; + rustsecp256k1zkp_v0_6_0_ge l_ge, r_ge; + rustsecp256k1zkp_v0_6_0_scalar t1, t2, tp; + rustsecp256k1zkp_v0_6_0_scalar deckey; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig_ab, sig_bc; - rustsecp256k1zkp_v0_5_0_testrand256(seckey_a); - rustsecp256k1zkp_v0_5_0_testrand256(seckey_b); + rustsecp256k1zkp_v0_6_0_testrand256(seckey_a); + rustsecp256k1zkp_v0_6_0_testrand256(seckey_b); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey_a, seckey_a)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey_b, seckey_b)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey_a, seckey_a)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey_b, seckey_b)); /* Carol setup */ /* Proof of payment */ - rustsecp256k1zkp_v0_5_0_testrand256(pop); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey_pop, pop)); + rustsecp256k1zkp_v0_6_0_testrand256(pop); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey_pop, pop)); /* Alice setup */ - rustsecp256k1zkp_v0_5_0_testrand256(tx_ab); + rustsecp256k1zkp_v0_6_0_testrand256(tx_ab); rand_scalar(&t1); rand_scalar(&t2); - rustsecp256k1zkp_v0_5_0_scalar_add(&tp, &t1, &t2); + rustsecp256k1zkp_v0_6_0_scalar_add(&tp, &t1, &t2); /* Left lock */ - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &l_ge, &pubkey_pop); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &l_ge, &t1)); - rustsecp256k1zkp_v0_5_0_pubkey_save(&l, &l_ge); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &l_ge, &pubkey_pop); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &l_ge, &t1)); + rustsecp256k1zkp_v0_6_0_pubkey_save(&l, &l_ge); /* Right lock */ - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &r_ge, &pubkey_pop); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &r_ge, &tp)); - rustsecp256k1zkp_v0_5_0_pubkey_save(&r, &r_ge); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, asig_ab, seckey_a, &l, tx_ab, NULL, NULL)); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &r_ge, &pubkey_pop); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &r_ge, &tp)); + rustsecp256k1zkp_v0_6_0_pubkey_save(&r, &r_ge); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, asig_ab, seckey_a, &l, tx_ab, NULL, NULL)); /* Bob setup */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, asig_ab, &pubkey_a, tx_ab, &l)); - rustsecp256k1zkp_v0_5_0_testrand256(tx_bc); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, asig_bc, seckey_b, &r, tx_bc, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, asig_ab, &pubkey_a, tx_ab, &l)); + rustsecp256k1zkp_v0_6_0_testrand256(tx_bc); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, asig_bc, seckey_b, &r, tx_bc, NULL, NULL)); /* Carol decrypt */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify(ctx, asig_bc, &pubkey_b, tx_bc, &r)); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&deckey, pop, NULL); - rustsecp256k1zkp_v0_5_0_scalar_add(&deckey, &deckey, &tp); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf, &deckey); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(ctx, &sig_bc, buf, asig_bc)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig_bc, tx_bc, &pubkey_b)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify(ctx, asig_bc, &pubkey_b, tx_bc, &r)); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&deckey, pop, NULL); + rustsecp256k1zkp_v0_6_0_scalar_add(&deckey, &deckey, &tp); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf, &deckey); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(ctx, &sig_bc, buf, asig_bc)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig_bc, tx_bc, &pubkey_b)); /* Bob recover and decrypt */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(ctx, buf, &sig_bc, asig_bc, &r)); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&deckey, buf, NULL); - rustsecp256k1zkp_v0_5_0_scalar_negate(&t2, &t2); - rustsecp256k1zkp_v0_5_0_scalar_add(&deckey, &deckey, &t2); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf, &deckey); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(ctx, &sig_ab, buf, asig_ab)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig_ab, tx_ab, &pubkey_a)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(ctx, buf, &sig_bc, asig_bc, &r)); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&deckey, buf, NULL); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t2, &t2); + rustsecp256k1zkp_v0_6_0_scalar_add(&deckey, &deckey, &t2); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf, &deckey); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(ctx, &sig_ab, buf, asig_ab)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig_ab, tx_ab, &pubkey_a)); /* Alice recover and derive proof of payment */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(ctx, buf, &sig_ab, asig_ab, &l)); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&deckey, buf, NULL); - rustsecp256k1zkp_v0_5_0_scalar_negate(&t1, &t1); - rustsecp256k1zkp_v0_5_0_scalar_add(&deckey, &deckey, &t1); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf, &deckey); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(buf, pop, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(ctx, buf, &sig_ab, asig_ab, &l)); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&deckey, buf, NULL); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t1, &t1); + rustsecp256k1zkp_v0_6_0_scalar_add(&deckey, &deckey, &t1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf, &deckey); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(buf, pop, 32) == 0); } void run_ecdsa_adaptor_tests(void) { diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/Makefile.am.include index 1c049b9e..0e89152b 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/Makefile.am.include @@ -1,3 +1,3 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_ecdsa_s2c.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_ecdsa_s2c.h noinst_HEADERS += src/modules/ecdsa_s2c/main_impl.h noinst_HEADERS += src/modules/ecdsa_s2c/tests_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/main_impl.h index 597c9ffb..11e2d8d1 100755 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/main_impl.h @@ -10,33 +10,33 @@ #include "include/secp256k1.h" #include "include/secp256k1_ecdsa_s2c.h" -static void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_5_0_ge* ge) { - rustsecp256k1zkp_v0_5_0_pubkey_save((rustsecp256k1zkp_v0_5_0_pubkey*) opening, ge); +static void rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_6_0_ge* ge) { + rustsecp256k1zkp_v0_6_0_pubkey_save((rustsecp256k1zkp_v0_6_0_pubkey*) opening, ge); } -static int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ge* ge, const rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening) { - return rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, ge, (const rustsecp256k1zkp_v0_5_0_pubkey*) opening); +static int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ge* ge, const rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening) { + return rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, ge, (const rustsecp256k1zkp_v0_6_0_pubkey*) opening); } -int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, const unsigned char* input33) { +int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, const unsigned char* input33) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(opening != NULL); ARG_CHECK(input33 != NULL); - return rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, (rustsecp256k1zkp_v0_5_0_pubkey*) opening, input33, 33); + return rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, (rustsecp256k1zkp_v0_6_0_pubkey*) opening, input33, 33); } -int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char* output33, const rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening) { +int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char* output33, const rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening) { size_t out_len = 33; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output33 != NULL); ARG_CHECK(opening != NULL); - return rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, output33, &out_len, (const rustsecp256k1zkp_v0_5_0_pubkey*) opening, SECP256K1_EC_COMPRESSED); + return rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, output33, &out_len, (const rustsecp256k1zkp_v0_6_0_pubkey*) opening, SECP256K1_EC_COMPRESSED); } /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("s2c/ecdsa/point")||SHA256("s2c/ecdsa/point"). */ -static void rustsecp256k1zkp_v0_5_0_s2c_ecdsa_point_sha256_tagged(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_s2c_ecdsa_point_sha256_tagged(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0xa9b21c7bul; sha->s[1] = 0x358c3e3eul; sha->s[2] = 0x0b6863d1ul; @@ -51,8 +51,8 @@ static void rustsecp256k1zkp_v0_5_0_s2c_ecdsa_point_sha256_tagged(rustsecp256k1z /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("s2c/ecdsa/data")||SHA256("s2c/ecdsa/data"). */ -static void rustsecp256k1zkp_v0_5_0_s2c_ecdsa_data_sha256_tagged(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_s2c_ecdsa_data_sha256_tagged(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0xfeefd675ul; sha->s[1] = 0x73166c99ul; sha->s[2] = 0xe2309cb8ul; @@ -65,15 +65,15 @@ static void rustsecp256k1zkp_v0_5_0_s2c_ecdsa_data_sha256_tagged(rustsecp256k1zk sha->bytes = 64; } -int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* signature, rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* s2c_opening, const unsigned char +int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* signature, rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* s2c_opening, const unsigned char *msg32, const unsigned char *seckey, const unsigned char* s2c_data32) { - rustsecp256k1zkp_v0_5_0_scalar r, s; + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret; unsigned char ndata[32]; - rustsecp256k1zkp_v0_5_0_sha256 s2c_sha; + rustsecp256k1zkp_v0_6_0_sha256 s2c_sha; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(msg32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(seckey != NULL); @@ -83,36 +83,36 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(const rustsecp256k1zkp_v0_5_0_context * derive the nonce. It is first hashed because it should be possible * to derive nonces even if only a SHA256 commitment to the data is * known. This is important in the ECDSA anti-exfil protocol. */ - rustsecp256k1zkp_v0_5_0_s2c_ecdsa_data_sha256_tagged(&s2c_sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&s2c_sha, s2c_data32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&s2c_sha, ndata); - - rustsecp256k1zkp_v0_5_0_s2c_ecdsa_point_sha256_tagged(&s2c_sha); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(ctx, &r, &s, NULL, &s2c_sha, s2c_opening, s2c_data32, msg32, seckey, NULL, ndata); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&r, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&s, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(signature, &r, &s); + rustsecp256k1zkp_v0_6_0_s2c_ecdsa_data_sha256_tagged(&s2c_sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&s2c_sha, s2c_data32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&s2c_sha, ndata); + + rustsecp256k1zkp_v0_6_0_s2c_ecdsa_point_sha256_tagged(&s2c_sha); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sign_inner(ctx, &r, &s, NULL, &s2c_sha, s2c_opening, s2c_data32, msg32, seckey, NULL, ndata); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&r, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&s, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(signature, &r, &s); return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const unsigned char* data32, const rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening) { - rustsecp256k1zkp_v0_5_0_ge commitment_ge; - rustsecp256k1zkp_v0_5_0_ge original_pubnonce_ge; +int rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char* data32, const rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening) { + rustsecp256k1zkp_v0_6_0_ge commitment_ge; + rustsecp256k1zkp_v0_6_0_ge original_pubnonce_ge; unsigned char x_bytes[32]; - rustsecp256k1zkp_v0_5_0_scalar sigr, sigs, x_scalar; - rustsecp256k1zkp_v0_5_0_sha256 s2c_sha; + rustsecp256k1zkp_v0_6_0_scalar sigr, sigs, x_scalar; + rustsecp256k1zkp_v0_6_0_sha256 s2c_sha; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(sig != NULL); ARG_CHECK(data32 != NULL); ARG_CHECK(opening != NULL); - if (!rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_load(ctx, &original_pubnonce_ge, opening)) { + if (!rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_load(ctx, &original_pubnonce_ge, opening)) { return 0; } - rustsecp256k1zkp_v0_5_0_s2c_ecdsa_point_sha256_tagged(&s2c_sha); - if (!rustsecp256k1zkp_v0_5_0_ec_commit(&ctx->ecmult_ctx, &commitment_ge, &original_pubnonce_ge, &s2c_sha, data32, 32)) { + rustsecp256k1zkp_v0_6_0_s2c_ecdsa_point_sha256_tagged(&s2c_sha); + if (!rustsecp256k1zkp_v0_6_0_ec_commit(&ctx->ecmult_ctx, &commitment_ge, &original_pubnonce_ge, &s2c_sha, data32, 32)) { return 0; } @@ -123,44 +123,44 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(const rustsecp256k1zkp_v0_5_ * Note that we are only checking the x-coordinate -- this is because the y-coordinate * is not part of the ECDSA signature (and therefore not part of the commitment!) */ - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &sigr, &sigs, sig); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &sigr, &sigs, sig); - rustsecp256k1zkp_v0_5_0_fe_normalize(&commitment_ge.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(x_bytes, &commitment_ge.x); + rustsecp256k1zkp_v0_6_0_fe_normalize(&commitment_ge.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(x_bytes, &commitment_ge.x); /* Do not check overflow; overflowing a scalar does not affect whether * or not the R value is a cryptographic commitment, only whether it * is a valid R value for an ECDSA signature. If users care about that * they should use `ecdsa_verify` or `anti_exfil_host_verify`. In other * words, this check would be (at best) unnecessary, and (at worst) * insufficient. */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&x_scalar, x_bytes, NULL); - return rustsecp256k1zkp_v0_5_0_scalar_eq(&sigr, &x_scalar); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&x_scalar, x_bytes, NULL); + return rustsecp256k1zkp_v0_6_0_scalar_eq(&sigr, &x_scalar); } /*** anti-exfil ***/ -int rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32) { - rustsecp256k1zkp_v0_5_0_sha256 sha; +int rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32) { + rustsecp256k1zkp_v0_6_0_sha256 sha; VERIFY_CHECK(ctx != NULL); ARG_CHECK(rand_commitment32 != NULL); ARG_CHECK(rand32 != NULL); - rustsecp256k1zkp_v0_5_0_s2c_ecdsa_data_sha256_tagged(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, rand32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, rand_commitment32); + rustsecp256k1zkp_v0_6_0_s2c_ecdsa_data_sha256_tagged(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, rand32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, rand_commitment32); return 1; } -int rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32) { +int rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32) { unsigned char nonce32[32]; - rustsecp256k1zkp_v0_5_0_scalar k; - rustsecp256k1zkp_v0_5_0_gej rj; - rustsecp256k1zkp_v0_5_0_ge r; + rustsecp256k1zkp_v0_6_0_scalar k; + rustsecp256k1zkp_v0_6_0_gej rj; + rustsecp256k1zkp_v0_6_0_ge r; unsigned int count = 0; int is_nonce_valid = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(opening != NULL); ARG_CHECK(msg32 != NULL); ARG_CHECK(seckey32 != NULL); @@ -168,31 +168,31 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(const rustsecp256k1zk memset(nonce32, 0, 32); while (!is_nonce_valid) { - /* cast to void* removes const qualifier, but rustsecp256k1zkp_v0_5_0_nonce_function_default does not modify it */ - if (!rustsecp256k1zkp_v0_5_0_nonce_function_default(nonce32, msg32, seckey32, NULL, (void*)rand_commitment32, count)) { - rustsecp256k1zkp_v0_5_0_callback_call(&ctx->error_callback, "(cryptographically unreachable) generated bad nonce"); + /* cast to void* removes const qualifier, but rustsecp256k1zkp_v0_6_0_nonce_function_default does not modify it */ + if (!rustsecp256k1zkp_v0_6_0_nonce_function_default(nonce32, msg32, seckey32, NULL, (void*)rand_commitment32, count)) { + rustsecp256k1zkp_v0_6_0_callback_call(&ctx->error_callback, "(cryptographically unreachable) generated bad nonce"); } - is_nonce_valid = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&k, nonce32); + is_nonce_valid = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&k, nonce32); /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); count++; } - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&r, &rj); - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(opening, &r); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&r, &rj); + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(opening, &r); memset(nonce32, 0, 32); - rustsecp256k1zkp_v0_5_0_scalar_clear(&k); + rustsecp256k1zkp_v0_6_0_scalar_clear(&k); return 1; } -int rustsecp256k1zkp_v0_5_0_anti_exfil_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32) { - return rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, sig, NULL, msg32, seckey, host_data32); +int rustsecp256k1zkp_v0_6_0_anti_exfil_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32) { + return rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, sig, NULL, msg32, seckey, host_data32); } -int rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, const unsigned char *msg32, const rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *host_data32, const rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening *opening) { - return rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(ctx, sig, host_data32, opening) && - rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, sig, msg32, pubkey); +int rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msg32, const rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *host_data32, const rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening *opening) { + return rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(ctx, sig, host_data32, opening) && + rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, sig, msg32, pubkey); } #endif /* SECP256K1_ECDSA_S2C_MAIN_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/tests_impl.h index a5b11a28..d7a14c04 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/ecdsa_s2c/tests_impl.h @@ -12,28 +12,28 @@ static void test_ecdsa_s2c_tagged_hash(void) { unsigned char tag_data[14] = "s2c/ecdsa/data"; unsigned char tag_point[15] = "s2c/ecdsa/point"; - rustsecp256k1zkp_v0_5_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_sha256 sha_optimized; + rustsecp256k1zkp_v0_6_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha_optimized; unsigned char output[32]; unsigned char output_optimized[32]; - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, tag_data, sizeof(tag_data)); - rustsecp256k1zkp_v0_5_0_s2c_ecdsa_data_sha256_tagged(&sha_optimized); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, output); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha_optimized, output_optimized); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(output, output_optimized, 32) == 0); - - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, tag_point, sizeof(tag_point)); - rustsecp256k1zkp_v0_5_0_s2c_ecdsa_point_sha256_tagged(&sha_optimized); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, output); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha_optimized, output_optimized); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(output, output_optimized, 32) == 0); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, tag_data, sizeof(tag_data)); + rustsecp256k1zkp_v0_6_0_s2c_ecdsa_data_sha256_tagged(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, output); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha_optimized, output_optimized); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(output, output_optimized, 32) == 0); + + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, tag_point, sizeof(tag_point)); + rustsecp256k1zkp_v0_6_0_s2c_ecdsa_point_sha256_tagged(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, output); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha_optimized, output_optimized); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(output, output_optimized, 32) == 0); } void run_s2c_opening_test(void) { int i = 0; unsigned char output[33]; - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); unsigned char input[33] = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -42,177 +42,177 @@ void run_s2c_opening_test(void) { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }; - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening opening; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening opening; int32_t ecount = 0; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); /* First parsing, then serializing works */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize(none, output, &opening) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize(none, output, &opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, NULL, input) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, NULL, input) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, &opening, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, &opening, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize(none, NULL, &opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize(none, NULL, &opening) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize(none, output, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize(none, output, NULL) == 0); CHECK(ecount == 4); /* Invalid pubkey makes parsing fail */ input[0] = 0; /* bad oddness bit */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, &opening, input) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, &opening, input) == 0); input[0] = 2; input[31] = 1; /* point not on the curve */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, &opening, input) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, &opening, input) == 0); CHECK(ecount == 4); /* neither of the above are API errors */ /* Try parsing and serializing a bunch of openings */ for (i = 0; i < count; i++) { /* This is expected to fail in about 50% of iterations because the * points' x-coordinates are uniformly random */ - if (rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1) { - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize(none, output, &opening) == 1); + if (rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_parse(none, &opening, input) == 1) { + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize(none, output, &opening) == 1); CHECK(memcmp(output, input, sizeof(output)) == 0); } - rustsecp256k1zkp_v0_5_0_testrand256(&input[1]); + rustsecp256k1zkp_v0_6_0_testrand256(&input[1]); /* Set pubkey oddness tag to first bit of input[1] */ input[0] = (input[1] & 1) + 2; } - rustsecp256k1zkp_v0_5_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(none); } static void test_ecdsa_s2c_api(void) { - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_context *both = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *both = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening s2c_opening; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening s2c_opening; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; const unsigned char msg[32] = "mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm"; const unsigned char sec[32] = "ssssssssssssssssssssssssssssssss"; const unsigned char s2c_data[32] = "dddddddddddddddddddddddddddddddd"; const unsigned char hostrand[32] = "hrhrhrhrhrhrhrhrhrhrhrhrhrhrhrhr"; unsigned char hostrand_commitment[32]; - rustsecp256k1zkp_v0_5_0_pubkey pk; + rustsecp256k1zkp_v0_6_0_pubkey pk; int32_t ecount; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pk, sec)); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pk, sec)); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(both, NULL, &s2c_opening, msg, sec, s2c_data) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(both, NULL, &s2c_opening, msg, sec, s2c_data) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(both, &sig, NULL, msg, sec, s2c_data) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(both, &sig, NULL, msg, sec, s2c_data) == 1); CHECK(ecount == 1); /* NULL opening is not an API error */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(both, &sig, &s2c_opening, NULL, sec, s2c_data) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(both, &sig, &s2c_opening, NULL, sec, s2c_data) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(both, &sig, &s2c_opening, msg, NULL, s2c_data) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(both, &sig, &s2c_opening, msg, NULL, s2c_data) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(both, &sig, &s2c_opening, msg, sec, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(both, &sig, &s2c_opening, msg, sec, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(none, &sig, &s2c_opening, msg, sec, s2c_data) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(none, &sig, &s2c_opening, msg, sec, s2c_data) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(vrfy, &sig, &s2c_opening, msg, sec, s2c_data) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(vrfy, &sig, &s2c_opening, msg, sec, s2c_data) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(sign, &sig, &s2c_opening, msg, sec, s2c_data) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(sign, &sig, &s2c_opening, msg, sec, s2c_data) == 1); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg, &pk) == 1); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(both, NULL, s2c_data, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(both, NULL, s2c_data, &s2c_opening) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(both, &sig, NULL, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(both, &sig, NULL, &s2c_opening) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(both, &sig, s2c_data, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(both, &sig, s2c_data, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(none, &sig, s2c_data, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(none, &sig, s2c_data, &s2c_opening) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(sign, &sig, s2c_data, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(sign, &sig, s2c_data, &s2c_opening) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(vrfy, &sig, sec, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(vrfy, &sig, sec, &s2c_opening) == 0); CHECK(ecount == 5); /* wrong data is not an API error */ /* Signing with NULL s2c_opening gives the same result */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(sign, &sig, NULL, msg, sec, s2c_data) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(sign, &sig, NULL, msg, sec, s2c_data) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1); /* anti-exfil */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit(none, NULL, hostrand) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit(none, NULL, hostrand) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, hostrand) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit(none, hostrand_commitment, hostrand) == 1); CHECK(ecount == 2); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(both, NULL, msg, sec, hostrand_commitment) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(both, NULL, msg, sec, hostrand_commitment) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, NULL, sec, hostrand_commitment) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, NULL, sec, hostrand_commitment) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, NULL, hostrand_commitment) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, NULL, hostrand_commitment) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, sec, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(both, &s2c_opening, msg, sec, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(none, &s2c_opening, msg, sec, hostrand_commitment) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(none, &s2c_opening, msg, sec, hostrand_commitment) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(vrfy, &s2c_opening, msg, sec, hostrand_commitment) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(vrfy, &s2c_opening, msg, sec, hostrand_commitment) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(sign, &s2c_opening, msg, sec, hostrand_commitment) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(sign, &s2c_opening, msg, sec, hostrand_commitment) == 1); CHECK(ecount == 6); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(both, NULL, msg, sec, hostrand) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(both, NULL, msg, sec, hostrand) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(both, &sig, NULL, sec, hostrand) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(both, &sig, NULL, sec, hostrand) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(both, &sig, msg, NULL, hostrand) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(both, &sig, msg, NULL, hostrand) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(both, &sig, msg, sec, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(both, &sig, msg, sec, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(none, &sig, msg, sec, hostrand) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(none, &sig, msg, sec, hostrand) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(vrfy, &sig, msg, sec, hostrand) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(vrfy, &sig, msg, sec, hostrand) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(both, &sig, msg, sec, hostrand) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(both, &sig, msg, sec, hostrand) == 1); CHECK(ecount == 6); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(both, NULL, msg, &pk, hostrand, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(both, NULL, msg, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(both, &sig, NULL, &pk, hostrand, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(both, &sig, NULL, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(both, &sig, msg, NULL, hostrand, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(both, &sig, msg, NULL, hostrand, &s2c_opening) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(both, &sig, msg, &pk, NULL, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(both, &sig, msg, &pk, NULL, &s2c_opening) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(both, &sig, msg, &pk, hostrand, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(both, &sig, msg, &pk, hostrand, NULL) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(none, &sig, msg, &pk, hostrand, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(none, &sig, msg, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(sign, &sig, msg, &pk, hostrand, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(sign, &sig, msg, &pk, hostrand, &s2c_opening) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(vrfy, &sig, msg, &pk, hostrand, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(vrfy, &sig, msg, &pk, hostrand, &s2c_opening) == 1); CHECK(ecount == 7); - rustsecp256k1zkp_v0_5_0_context_destroy(both); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(both); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(none); } /* When using sign-to-contract commitments, the nonce function is fixed, so we can use fixtures to test. */ @@ -250,65 +250,65 @@ static void test_ecdsa_s2c_fixed_vectors(void) { size_t i; for (i = 0; i < sizeof(ecdsa_s2c_tests) / sizeof(ecdsa_s2c_tests[0]); i++) { - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening s2c_opening; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening s2c_opening; unsigned char opening_ser[33]; const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i]; - rustsecp256k1zkp_v0_5_0_ecdsa_signature signature; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize(ctx, opening_ser, &s2c_opening) == 1); + rustsecp256k1zkp_v0_6_0_ecdsa_signature signature; + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize(ctx, opening_ser, &s2c_opening) == 1); CHECK(memcmp(test->expected_s2c_opening, opening_ser, sizeof(opening_ser)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(ctx, &signature, test->s2c_data, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(ctx, &signature, test->s2c_data, &s2c_opening) == 1); } } static void test_ecdsa_s2c_sign_verify(void) { unsigned char privkey[32]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; unsigned char message[32]; unsigned char noncedata[32]; unsigned char s2c_data[32]; unsigned char s2c_data2[32]; - rustsecp256k1zkp_v0_5_0_ecdsa_signature signature; - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening s2c_opening; + rustsecp256k1zkp_v0_6_0_ecdsa_signature signature; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening s2c_opening; /* Generate a random key, message, noncedata and s2c_data. */ { - rustsecp256k1zkp_v0_5_0_scalar key; + rustsecp256k1zkp_v0_6_0_scalar key; random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(privkey, &key); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(privkey, &key); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); - rustsecp256k1zkp_v0_5_0_testrand256_test(message); - rustsecp256k1zkp_v0_5_0_testrand256_test(noncedata); - rustsecp256k1zkp_v0_5_0_testrand256_test(s2c_data); - rustsecp256k1zkp_v0_5_0_testrand256_test(s2c_data2); + rustsecp256k1zkp_v0_6_0_testrand256_test(message); + rustsecp256k1zkp_v0_6_0_testrand256_test(noncedata); + rustsecp256k1zkp_v0_6_0_testrand256_test(s2c_data); + rustsecp256k1zkp_v0_6_0_testrand256_test(s2c_data2); } { /* invalid privkeys */ unsigned char zero_privkey[32] = {0}; unsigned char overflow_privkey[32] = "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, &signature, NULL, message, zero_privkey, s2c_data) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, &signature, NULL, message, overflow_privkey, s2c_data) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, &signature, NULL, message, zero_privkey, s2c_data) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, &signature, NULL, message, overflow_privkey, s2c_data) == 0); } /* Check that the sign-to-contract signature is valid, with s2c_data. Also check the commitment. */ { - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature, message, &pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature, message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 1); } /* Check that an invalid commitment does not verify */ { unsigned char sigbytes[64]; size_t i; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature, message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature, message, &pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1); for(i = 0; i < 32; i++) { /* change one byte */ sigbytes[i] = (((int)sigbytes[i]) + 1) % 256; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 0); /* revert */ sigbytes[i] = (((int)sigbytes[i]) + 255) % 256; } @@ -327,11 +327,11 @@ static void test_ecdsa_anti_exfil_signer_commit(void) { }; /* Check that original pubnonce is derived from s2c_data */ for (i = 0; i < sizeof(ecdsa_s2c_tests) / sizeof(ecdsa_s2c_tests[0]); i++) { - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening s2c_opening; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening s2c_opening; unsigned char buf[33]; const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i]; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1); CHECK(memcmp(test->expected_s2c_exfil_opening, buf, sizeof(buf)) == 0); } } @@ -342,62 +342,62 @@ static void test_ecdsa_anti_exfil(void) { unsigned char host_msg[32]; unsigned char host_commitment[32]; unsigned char host_nonce_contribution[32]; - rustsecp256k1zkp_v0_5_0_pubkey signer_pubkey; - rustsecp256k1zkp_v0_5_0_ecdsa_signature signature; - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening s2c_opening; + rustsecp256k1zkp_v0_6_0_pubkey signer_pubkey; + rustsecp256k1zkp_v0_6_0_ecdsa_signature signature; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening s2c_opening; /* Generate a random key, message. */ { - rustsecp256k1zkp_v0_5_0_scalar key; + rustsecp256k1zkp_v0_6_0_scalar key; random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(signer_privkey, &key); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &signer_pubkey, signer_privkey) == 1); - rustsecp256k1zkp_v0_5_0_testrand256_test(host_msg); - rustsecp256k1zkp_v0_5_0_testrand256_test(host_nonce_contribution); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(signer_privkey, &key); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &signer_pubkey, signer_privkey) == 1); + rustsecp256k1zkp_v0_6_0_testrand256_test(host_msg); + rustsecp256k1zkp_v0_6_0_testrand256_test(host_nonce_contribution); } /* Protocol step 1. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit(ctx, host_commitment, host_nonce_contribution) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit(ctx, host_commitment, host_nonce_contribution) == 1); /* Protocol step 2. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1); /* Protocol step 3: host_nonce_contribution send to signer to be used in step 4. */ /* Protocol step 4. */ - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1); /* Protocol step 5. */ - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); /* Protocol step 5 (explicitly) */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); { /* host_verify: commitment does not match */ unsigned char sigbytes[64]; size_t i; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1); for(i = 0; i < 32; i++) { /* change one byte */ sigbytes[i] += 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); /* revert */ sigbytes[i] -= 1; } - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); } { /* host_verify: message does not match */ unsigned char bad_msg[32]; - rustsecp256k1zkp_v0_5_0_testrand256_test(bad_msg); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); + rustsecp256k1zkp_v0_6_0_testrand256_test(bad_msg); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); } { /* s2c_sign: host provided data that didn't match commitment */ - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening orig_opening = s2c_opening; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening orig_opening = s2c_opening; unsigned char bad_nonce_contribution[32] = { 1, 2, 3, 4 }; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1); /* good signature but the opening (original public nonce does not match the original */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1); CHECK(memcmp(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0); } } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/Makefile.am.include index 0aec0306..77803bf3 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_extrakeys.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_extrakeys.h noinst_HEADERS += src/modules/extrakeys/tests_impl.h noinst_HEADERS += src/modules/extrakeys/tests_exhaustive_impl.h noinst_HEADERS += src/modules/extrakeys/main_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/main_impl.h index b99628fc..2ba7fa80 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/main_impl.h @@ -7,140 +7,166 @@ #ifndef SECP256K1_MODULE_EXTRAKEYS_MAIN_H #define SECP256K1_MODULE_EXTRAKEYS_MAIN_H -#include "include/secp256k1.h" -#include "include/secp256k1_extrakeys.h" +#include "../../../include/secp256k1.h" +#include "../../../include/secp256k1_extrakeys.h" -static SECP256K1_INLINE int rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ge *ge, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey) { - return rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, ge, (const rustsecp256k1zkp_v0_5_0_pubkey *) pubkey); +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ge *ge, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey) { + return rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, ge, (const rustsecp256k1zkp_v0_6_0_pubkey *) pubkey); } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_xonly_pubkey_save(rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey, rustsecp256k1zkp_v0_5_0_ge *ge) { - rustsecp256k1zkp_v0_5_0_pubkey_save((rustsecp256k1zkp_v0_5_0_pubkey *) pubkey, ge); +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_xonly_pubkey_save(rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey, rustsecp256k1zkp_v0_6_0_ge *ge) { + rustsecp256k1zkp_v0_6_0_pubkey_save((rustsecp256k1zkp_v0_6_0_pubkey *) pubkey, ge); } -int rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey, const unsigned char *input32) { - rustsecp256k1zkp_v0_5_0_ge pk; - rustsecp256k1zkp_v0_5_0_fe x; +int rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey, const unsigned char *input32) { + rustsecp256k1zkp_v0_6_0_ge pk; + rustsecp256k1zkp_v0_6_0_fe x; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); ARG_CHECK(input32 != NULL); - if (!rustsecp256k1zkp_v0_5_0_fe_set_b32(&x, input32)) { + if (!rustsecp256k1zkp_v0_6_0_fe_set_b32(&x, input32)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&pk, &x, 0)) { + if (!rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&pk, &x, 0)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_ge_is_in_correct_subgroup(&pk)) { + if (!rustsecp256k1zkp_v0_6_0_ge_is_in_correct_subgroup(&pk)) { return 0; } - rustsecp256k1zkp_v0_5_0_xonly_pubkey_save(pubkey, &pk); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_save(pubkey, &pk); return 1; } -int rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output32, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey) { - rustsecp256k1zkp_v0_5_0_ge pk; +int rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output32, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey) { + rustsecp256k1zkp_v0_6_0_ge pk; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output32 != NULL); memset(output32, 0, 32); ARG_CHECK(pubkey != NULL); - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &pk, pubkey)) { + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &pk, pubkey)) { return 0; } - rustsecp256k1zkp_v0_5_0_fe_get_b32(output32, &pk.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(output32, &pk.x); return 1; } +int rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pk0, const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pk1) { + unsigned char out[2][32]; + const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pk[2]; + int i; + + VERIFY_CHECK(ctx != NULL); + pk[0] = pk0; pk[1] = pk1; + for (i = 0; i < 2; i++) { + /* If the public key is NULL or invalid, xonly_pubkey_serialize will + * call the illegal_callback and return 0. In that case we will + * serialize the key as all zeros which is less than any valid public + * key. This results in consistent comparisons even if NULL or invalid + * pubkeys are involved and prevents edge cases such as sorting + * algorithms that use this function and do not terminate as a + * result. */ + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, out[i], pk[i])) { + /* Note that xonly_pubkey_serialize should already set the output to + * zero in that case, but it's not guaranteed by the API, we can't + * test it and writing a VERIFY_CHECK is more complex than + * explicitly memsetting (again). */ + memset(out[i], 0, sizeof(out[i])); + } + } + return rustsecp256k1zkp_v0_6_0_memcmp_var(out[0], out[1], sizeof(out[1])); +} + /** Keeps a group element as is if it has an even Y and otherwise negates it. * y_parity is set to 0 in the former case and to 1 in the latter case. * Requires that the coordinates of r are normalized. */ -static int rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(rustsecp256k1zkp_v0_5_0_ge *r) { +static int rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(rustsecp256k1zkp_v0_6_0_ge *r) { int y_parity = 0; - VERIFY_CHECK(!rustsecp256k1zkp_v0_5_0_ge_is_infinity(r)); + VERIFY_CHECK(!rustsecp256k1zkp_v0_6_0_ge_is_infinity(r)); - if (rustsecp256k1zkp_v0_5_0_fe_is_odd(&r->y)) { - rustsecp256k1zkp_v0_5_0_fe_negate(&r->y, &r->y, 1); + if (rustsecp256k1zkp_v0_6_0_fe_is_odd(&r->y)) { + rustsecp256k1zkp_v0_6_0_fe_negate(&r->y, &r->y, 1); y_parity = 1; } return y_parity; } -int rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_xonly_pubkey *xonly_pubkey, int *pk_parity, const rustsecp256k1zkp_v0_5_0_pubkey *pubkey) { - rustsecp256k1zkp_v0_5_0_ge pk; +int rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_xonly_pubkey *xonly_pubkey, int *pk_parity, const rustsecp256k1zkp_v0_6_0_pubkey *pubkey) { + rustsecp256k1zkp_v0_6_0_ge pk; int tmp; VERIFY_CHECK(ctx != NULL); ARG_CHECK(xonly_pubkey != NULL); ARG_CHECK(pubkey != NULL); - if (!rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &pk, pubkey)) { + if (!rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &pk, pubkey)) { return 0; } - tmp = rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(&pk); + tmp = rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(&pk); if (pk_parity != NULL) { *pk_parity = tmp; } - rustsecp256k1zkp_v0_5_0_xonly_pubkey_save(xonly_pubkey, &pk); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_save(xonly_pubkey, &pk); return 1; } -int rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *output_pubkey, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge pk; +int rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *output_pubkey, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge pk; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output_pubkey != NULL); memset(output_pubkey, 0, sizeof(*output_pubkey)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(internal_pubkey != NULL); ARG_CHECK(tweak32 != NULL); - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &pk, internal_pubkey) - || !rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32)) { + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &pk, internal_pubkey) + || !rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32)) { return 0; } - rustsecp256k1zkp_v0_5_0_pubkey_save(output_pubkey, &pk); + rustsecp256k1zkp_v0_6_0_pubkey_save(output_pubkey, &pk); return 1; } -int rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(const rustsecp256k1zkp_v0_5_0_context* ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge pk; +int rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge pk; unsigned char pk_expected32[32]; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(internal_pubkey != NULL); ARG_CHECK(tweaked_pubkey32 != NULL); ARG_CHECK(tweak32 != NULL); - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &pk, internal_pubkey) - || !rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32)) { + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &pk, internal_pubkey) + || !rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32)) { return 0; } - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&pk.x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&pk.y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(pk_expected32, &pk.x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&pk.x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&pk.y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(pk_expected32, &pk.x); - return rustsecp256k1zkp_v0_5_0_memcmp_var(&pk_expected32, tweaked_pubkey32, 32) == 0 - && rustsecp256k1zkp_v0_5_0_fe_is_odd(&pk.y) == tweaked_pk_parity; + return rustsecp256k1zkp_v0_6_0_memcmp_var(&pk_expected32, tweaked_pubkey32, 32) == 0 + && rustsecp256k1zkp_v0_6_0_fe_is_odd(&pk.y) == tweaked_pk_parity; } -static void rustsecp256k1zkp_v0_5_0_keypair_save(rustsecp256k1zkp_v0_5_0_keypair *keypair, const rustsecp256k1zkp_v0_5_0_scalar *sk, rustsecp256k1zkp_v0_5_0_ge *pk) { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&keypair->data[0], sk); - rustsecp256k1zkp_v0_5_0_pubkey_save((rustsecp256k1zkp_v0_5_0_pubkey *)&keypair->data[32], pk); +static void rustsecp256k1zkp_v0_6_0_keypair_save(rustsecp256k1zkp_v0_6_0_keypair *keypair, const rustsecp256k1zkp_v0_6_0_scalar *sk, rustsecp256k1zkp_v0_6_0_ge *pk) { + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&keypair->data[0], sk); + rustsecp256k1zkp_v0_6_0_pubkey_save((rustsecp256k1zkp_v0_6_0_pubkey *)&keypair->data[32], pk); } -static int rustsecp256k1zkp_v0_5_0_keypair_seckey_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar *sk, const rustsecp256k1zkp_v0_5_0_keypair *keypair) { +static int rustsecp256k1zkp_v0_6_0_keypair_seckey_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar *sk, const rustsecp256k1zkp_v0_6_0_keypair *keypair) { int ret; - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(sk, &keypair->data[0]); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(sk, &keypair->data[0]); /* We can declassify ret here because sk is only zero if a keypair function * failed (which zeroes the keypair) and its return value is ignored. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &ret, sizeof(ret)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &ret, sizeof(ret)); ARG_CHECK(ret); return ret; } @@ -148,45 +174,45 @@ static int rustsecp256k1zkp_v0_5_0_keypair_seckey_load(const rustsecp256k1zkp_v0 /* Load a keypair into pk and sk (if non-NULL). This function declassifies pk * and ARG_CHECKs that the keypair is not invalid. It always initializes sk and * pk with dummy values. */ -static int rustsecp256k1zkp_v0_5_0_keypair_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar *sk, rustsecp256k1zkp_v0_5_0_ge *pk, const rustsecp256k1zkp_v0_5_0_keypair *keypair) { +static int rustsecp256k1zkp_v0_6_0_keypair_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar *sk, rustsecp256k1zkp_v0_6_0_ge *pk, const rustsecp256k1zkp_v0_6_0_keypair *keypair) { int ret; - const rustsecp256k1zkp_v0_5_0_pubkey *pubkey = (const rustsecp256k1zkp_v0_5_0_pubkey *)&keypair->data[32]; + const rustsecp256k1zkp_v0_6_0_pubkey *pubkey = (const rustsecp256k1zkp_v0_6_0_pubkey *)&keypair->data[32]; /* Need to declassify the pubkey because pubkey_load ARG_CHECKs if it's * invalid. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, pubkey, sizeof(*pubkey)); - ret = rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, pk, pubkey); + rustsecp256k1zkp_v0_6_0_declassify(ctx, pubkey, sizeof(*pubkey)); + ret = rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, pk, pubkey); if (sk != NULL) { - ret = ret && rustsecp256k1zkp_v0_5_0_keypair_seckey_load(ctx, sk, keypair); + ret = ret && rustsecp256k1zkp_v0_6_0_keypair_seckey_load(ctx, sk, keypair); } if (!ret) { - *pk = rustsecp256k1zkp_v0_5_0_ge_const_g; + *pk = rustsecp256k1zkp_v0_6_0_ge_const_g; if (sk != NULL) { - *sk = rustsecp256k1zkp_v0_5_0_scalar_one; + *sk = rustsecp256k1zkp_v0_6_0_scalar_one; } } return ret; } -int rustsecp256k1zkp_v0_5_0_keypair_create(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_keypair *keypair, const unsigned char *seckey32) { - rustsecp256k1zkp_v0_5_0_scalar sk; - rustsecp256k1zkp_v0_5_0_ge pk; +int rustsecp256k1zkp_v0_6_0_keypair_create(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_keypair *keypair, const unsigned char *seckey32) { + rustsecp256k1zkp_v0_6_0_scalar sk; + rustsecp256k1zkp_v0_6_0_ge pk; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(keypair != NULL); memset(keypair, 0, sizeof(*keypair)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(seckey32 != NULL); - ret = rustsecp256k1zkp_v0_5_0_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &sk, &pk, seckey32); - rustsecp256k1zkp_v0_5_0_keypair_save(keypair, &sk, &pk); - rustsecp256k1zkp_v0_5_0_memczero(keypair, sizeof(*keypair), !ret); + ret = rustsecp256k1zkp_v0_6_0_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &sk, &pk, seckey32); + rustsecp256k1zkp_v0_6_0_keypair_save(keypair, &sk, &pk); + rustsecp256k1zkp_v0_6_0_memczero(keypair, sizeof(*keypair), !ret); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sk); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sk); return ret; } -int rustsecp256k1zkp_v0_5_0_keypair_sec(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const rustsecp256k1zkp_v0_5_0_keypair *keypair) { +int rustsecp256k1zkp_v0_6_0_keypair_sec(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const rustsecp256k1zkp_v0_6_0_keypair *keypair) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); memset(seckey, 0, 32); @@ -196,7 +222,7 @@ int rustsecp256k1zkp_v0_5_0_keypair_sec(const rustsecp256k1zkp_v0_5_0_context* c return 1; } -int rustsecp256k1zkp_v0_5_0_keypair_pub(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const rustsecp256k1zkp_v0_5_0_keypair *keypair) { +int rustsecp256k1zkp_v0_6_0_keypair_pub(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const rustsecp256k1zkp_v0_6_0_keypair *keypair) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); @@ -206,8 +232,8 @@ int rustsecp256k1zkp_v0_5_0_keypair_pub(const rustsecp256k1zkp_v0_5_0_context* c return 1; } -int rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey, int *pk_parity, const rustsecp256k1zkp_v0_5_0_keypair *keypair) { - rustsecp256k1zkp_v0_5_0_ge pk; +int rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey, int *pk_parity, const rustsecp256k1zkp_v0_6_0_keypair *keypair) { + rustsecp256k1zkp_v0_6_0_ge pk; int tmp; VERIFY_CHECK(ctx != NULL); @@ -215,46 +241,46 @@ int rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(const rustsecp256k1zkp_v0_5_0_cont memset(pubkey, 0, sizeof(*pubkey)); ARG_CHECK(keypair != NULL); - if (!rustsecp256k1zkp_v0_5_0_keypair_load(ctx, NULL, &pk, keypair)) { + if (!rustsecp256k1zkp_v0_6_0_keypair_load(ctx, NULL, &pk, keypair)) { return 0; } - tmp = rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(&pk); + tmp = rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(&pk); if (pk_parity != NULL) { *pk_parity = tmp; } - rustsecp256k1zkp_v0_5_0_xonly_pubkey_save(pubkey, &pk); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_save(pubkey, &pk); return 1; } -int rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_keypair *keypair, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge pk; - rustsecp256k1zkp_v0_5_0_scalar sk; +int rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_keypair *keypair, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge pk; + rustsecp256k1zkp_v0_6_0_scalar sk; int y_parity; int ret; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(keypair != NULL); ARG_CHECK(tweak32 != NULL); - ret = rustsecp256k1zkp_v0_5_0_keypair_load(ctx, &sk, &pk, keypair); + ret = rustsecp256k1zkp_v0_6_0_keypair_load(ctx, &sk, &pk, keypair); memset(keypair, 0, sizeof(*keypair)); - y_parity = rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(&pk); + y_parity = rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(&pk); if (y_parity == 1) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&sk, &sk); + rustsecp256k1zkp_v0_6_0_scalar_negate(&sk, &sk); } - ret &= rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(&sk, tweak32); - ret &= rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32); + ret &= rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(&sk, tweak32); + ret &= rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32); - rustsecp256k1zkp_v0_5_0_declassify(ctx, &ret, sizeof(ret)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &ret, sizeof(ret)); if (ret) { - rustsecp256k1zkp_v0_5_0_keypair_save(keypair, &sk, &pk); + rustsecp256k1zkp_v0_6_0_keypair_save(keypair, &sk, &pk); } - rustsecp256k1zkp_v0_5_0_scalar_clear(&sk); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sk); return ret; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_exhaustive_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_exhaustive_impl.h index 5624c17c..059a99d0 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_exhaustive_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_exhaustive_impl.h @@ -8,56 +8,56 @@ #define SECP256K1_MODULE_EXTRAKEYS_TESTS_EXHAUSTIVE_H #include "src/modules/extrakeys/main_impl.h" -#include "include/secp256k1_extrakeys.h" +#include "../../../include/secp256k1_extrakeys.h" -static void test_exhaustive_extrakeys(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge* group) { - rustsecp256k1zkp_v0_5_0_keypair keypair[EXHAUSTIVE_TEST_ORDER - 1]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey[EXHAUSTIVE_TEST_ORDER - 1]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey xonly_pubkey[EXHAUSTIVE_TEST_ORDER - 1]; +static void test_exhaustive_extrakeys(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge* group) { + rustsecp256k1zkp_v0_6_0_keypair keypair[EXHAUSTIVE_TEST_ORDER - 1]; + rustsecp256k1zkp_v0_6_0_pubkey pubkey[EXHAUSTIVE_TEST_ORDER - 1]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey xonly_pubkey[EXHAUSTIVE_TEST_ORDER - 1]; int parities[EXHAUSTIVE_TEST_ORDER - 1]; unsigned char xonly_pubkey_bytes[EXHAUSTIVE_TEST_ORDER - 1][32]; int i; for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { - rustsecp256k1zkp_v0_5_0_fe fe; - rustsecp256k1zkp_v0_5_0_scalar scalar_i; + rustsecp256k1zkp_v0_6_0_fe fe; + rustsecp256k1zkp_v0_6_0_scalar scalar_i; unsigned char buf[33]; int parity; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&scalar_i, i); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf, &scalar_i); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&scalar_i, i); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf, &scalar_i); /* Construct pubkey and keypair. */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair[i - 1], buf)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey[i - 1], buf)); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair[i - 1], buf)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey[i - 1], buf)); /* Construct serialized xonly_pubkey from keypair. */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &xonly_pubkey[i - 1], &parities[i - 1], &keypair[i - 1])); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, xonly_pubkey_bytes[i - 1], &xonly_pubkey[i - 1])); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &xonly_pubkey[i - 1], &parities[i - 1], &keypair[i - 1])); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, xonly_pubkey_bytes[i - 1], &xonly_pubkey[i - 1])); /* Parse the xonly_pubkey back and verify it matches the previously serialized value. */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &xonly_pubkey[i - 1], xonly_pubkey_bytes[i - 1])); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, buf, &xonly_pubkey[i - 1])); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(xonly_pubkey_bytes[i - 1], buf, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &xonly_pubkey[i - 1], xonly_pubkey_bytes[i - 1])); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, buf, &xonly_pubkey[i - 1])); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(xonly_pubkey_bytes[i - 1], buf, 32) == 0); /* Construct the xonly_pubkey from the pubkey, and verify it matches the same. */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &xonly_pubkey[i - 1], &parity, &pubkey[i - 1])); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &xonly_pubkey[i - 1], &parity, &pubkey[i - 1])); CHECK(parity == parities[i - 1]); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, buf, &xonly_pubkey[i - 1])); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(xonly_pubkey_bytes[i - 1], buf, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, buf, &xonly_pubkey[i - 1])); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(xonly_pubkey_bytes[i - 1], buf, 32) == 0); /* Compare the xonly_pubkey bytes against the precomputed group. */ - rustsecp256k1zkp_v0_5_0_fe_set_b32(&fe, xonly_pubkey_bytes[i - 1]); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&fe, &group[i].x)); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&fe, xonly_pubkey_bytes[i - 1]); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&fe, &group[i].x)); /* Check the parity against the precomputed group. */ fe = group[i].y; - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&fe); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_odd(&fe) == parities[i - 1]); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&fe); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_odd(&fe) == parities[i - 1]); /* Verify that the higher half is identical to the lower half mirrored. */ if (i > EXHAUSTIVE_TEST_ORDER / 2) { - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(xonly_pubkey_bytes[i - 1], xonly_pubkey_bytes[EXHAUSTIVE_TEST_ORDER - i - 1], 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(xonly_pubkey_bytes[i - 1], xonly_pubkey_bytes[EXHAUSTIVE_TEST_ORDER - i - 1], 32) == 0); CHECK(parities[i - 1] == 1 - parities[EXHAUSTIVE_TEST_ORDER - i - 1]); } } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_impl.h index 25aedac8..8f0b7472 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/extrakeys/tests_impl.h @@ -7,21 +7,21 @@ #ifndef SECP256K1_MODULE_EXTRAKEYS_TESTS_H #define SECP256K1_MODULE_EXTRAKEYS_TESTS_H -#include "secp256k1_extrakeys.h" +#include "../../../include/secp256k1_extrakeys.h" -static rustsecp256k1zkp_v0_5_0_context* api_test_context(int flags, int *ecount) { - rustsecp256k1zkp_v0_5_0_context *ctx0 = rustsecp256k1zkp_v0_5_0_context_create(flags); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(ctx0, counting_illegal_callback_fn, ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx0, counting_illegal_callback_fn, ecount); +static rustsecp256k1zkp_v0_6_0_context* api_test_context(int flags, int *ecount) { + rustsecp256k1zkp_v0_6_0_context *ctx0 = rustsecp256k1zkp_v0_6_0_context_create(flags); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(ctx0, counting_illegal_callback_fn, ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx0, counting_illegal_callback_fn, ecount); return ctx0; } void test_xonly_pubkey(void) { - rustsecp256k1zkp_v0_5_0_pubkey pk; - rustsecp256k1zkp_v0_5_0_xonly_pubkey xonly_pk, xonly_pk_tmp; - rustsecp256k1zkp_v0_5_0_ge pk1; - rustsecp256k1zkp_v0_5_0_ge pk2; - rustsecp256k1zkp_v0_5_0_fe y; + rustsecp256k1zkp_v0_6_0_pubkey pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey xonly_pk, xonly_pk_tmp; + rustsecp256k1zkp_v0_6_0_ge pk1; + rustsecp256k1zkp_v0_6_0_ge pk2; + rustsecp256k1zkp_v0_6_0_fe y; unsigned char sk[32]; unsigned char xy_sk[32]; unsigned char buf32[32]; @@ -31,249 +31,286 @@ void test_xonly_pubkey(void) { int i; int ecount; - rustsecp256k1zkp_v0_5_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); - rustsecp256k1zkp_v0_5_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); - rustsecp256k1zkp_v0_5_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); + rustsecp256k1zkp_v0_6_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); + rustsecp256k1zkp_v0_6_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); + rustsecp256k1zkp_v0_6_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); - rustsecp256k1zkp_v0_5_0_testrand256(sk); + rustsecp256k1zkp_v0_6_0_testrand256(sk); memset(ones32, 0xFF, 32); - rustsecp256k1zkp_v0_5_0_testrand256(xy_sk); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(sign, &pk, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(xy_sk); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(sign, &pk, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1); /* Test xonly_pubkey_from_pubkey */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(sign, &xonly_pk, &pk_parity, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(verify, &xonly_pk, &pk_parity, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, NULL, &pk_parity, &pk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(sign, &xonly_pk, &pk_parity, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(verify, &xonly_pk, &pk_parity, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, NULL, &pk_parity, &pk) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, NULL) == 0); CHECK(ecount == 2); memset(&pk, 0, sizeof(pk)); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 0); CHECK(ecount == 3); /* Choose a secret key such that the resulting pubkey and xonly_pubkey match. */ memset(sk, 0, sizeof(sk)); sk[0] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pk, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pk, &xonly_pk, sizeof(pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pk, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pk, &xonly_pk, sizeof(pk)) == 0); CHECK(pk_parity == 0); /* Choose a secret key such that pubkey and xonly_pubkey are each others * negation. */ sk[0] = 2; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pk, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xonly_pk, &pk, sizeof(xonly_pk)) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pk, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xonly_pk, &pk, sizeof(xonly_pk)) != 0); CHECK(pk_parity == 1); - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &pk1, &pk); - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &pk2, (rustsecp256k1zkp_v0_5_0_pubkey *) &xonly_pk); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal(&pk1.x, &pk2.x) == 1); - rustsecp256k1zkp_v0_5_0_fe_negate(&y, &pk2.y, 1); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal(&pk1.y, &y) == 1); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &pk1, &pk); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &pk2, (rustsecp256k1zkp_v0_6_0_pubkey *) &xonly_pk); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal(&pk1.x, &pk2.x) == 1); + rustsecp256k1zkp_v0_6_0_fe_negate(&y, &pk2.y, 1); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal(&pk1.y, &y) == 1); /* Test xonly_pubkey_serialize and xonly_pubkey_parse */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(none, NULL, &xonly_pk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(none, NULL, &xonly_pk) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(none, buf32, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(buf32, zeros64, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(none, buf32, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(buf32, zeros64, 32) == 0); CHECK(ecount == 2); { /* A pubkey filled with 0s will fail to serialize due to pubkey_load * special casing. */ - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk_tmp; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk_tmp; memset(&pk_tmp, 0, sizeof(pk_tmp)); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(none, buf32, &pk_tmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(none, buf32, &pk_tmp) == 0); } /* pubkey_load called illegal callback */ CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(none, buf32, &xonly_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(none, buf32, &xonly_pk) == 1); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(none, NULL, buf32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(none, NULL, buf32) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(none, &xonly_pk, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(none, &xonly_pk, NULL) == 0); CHECK(ecount == 2); /* Serialization and parse roundtrip */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &xonly_pk_tmp, buf32) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(xonly_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &xonly_pk_tmp, buf32) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(xonly_pk)) == 0); /* Test parsing invalid field elements */ memset(&xonly_pk, 1, sizeof(xonly_pk)); /* Overflowing field element */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(none, &xonly_pk, ones32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(none, &xonly_pk, ones32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); memset(&xonly_pk, 1, sizeof(xonly_pk)); /* There's no point with x-coordinate 0 on secp256k1 */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(none, &xonly_pk, zeros64) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(none, &xonly_pk, zeros64) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); /* If a random 32-byte string can not be parsed with ec_pubkey_parse * (because interpreted as X coordinate it does not correspond to a point on * the curve) then xonly_pubkey_parse should fail as well. */ for (i = 0; i < count; i++) { unsigned char rand33[33]; - rustsecp256k1zkp_v0_5_0_testrand256(&rand33[1]); + rustsecp256k1zkp_v0_6_0_testrand256(&rand33[1]); rand33[0] = SECP256K1_TAG_PUBKEY_EVEN; - if (!rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pk, rand33, 33)) { + if (!rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pk, rand33, 33)) { memset(&xonly_pk, 1, sizeof(xonly_pk)); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); } else { - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 1); } } CHECK(ecount == 2); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(verify); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(verify); +} + +void test_xonly_pubkey_comparison(void) { + unsigned char pk1_ser[32] = { + 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11, + 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23 + }; + const unsigned char pk2_ser[32] = { + 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d, + 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c + }; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk1; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk2; + int ecount = 0; + rustsecp256k1zkp_v0_6_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); + + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(none, &pk1, pk1_ser) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(none, &pk2, pk2_ser) == 1); + + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, NULL, &pk2) < 0); + CHECK(ecount == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk1, NULL) > 0); + CHECK(ecount == 2); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk1, &pk2) < 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk2, &pk1) > 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk1, &pk1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk2, &pk2) == 0); + CHECK(ecount == 2); + memset(&pk1, 0, sizeof(pk1)); /* illegal pubkey */ + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk1, &pk2) < 0); + CHECK(ecount == 3); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk1, &pk1) == 0); + CHECK(ecount == 5); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_cmp(none, &pk2, &pk1) > 0); + CHECK(ecount == 6); + + rustsecp256k1zkp_v0_6_0_context_destroy(none); } void test_xonly_pubkey_tweak(void) { unsigned char zeros64[64] = { 0 }; unsigned char overflows[32]; unsigned char sk[32]; - rustsecp256k1zkp_v0_5_0_pubkey internal_pk; - rustsecp256k1zkp_v0_5_0_xonly_pubkey internal_xonly_pk; - rustsecp256k1zkp_v0_5_0_pubkey output_pk; + rustsecp256k1zkp_v0_6_0_pubkey internal_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey internal_xonly_pk; + rustsecp256k1zkp_v0_6_0_pubkey output_pk; int pk_parity; unsigned char tweak[32]; int i; int ecount; - rustsecp256k1zkp_v0_5_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); - rustsecp256k1zkp_v0_5_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); - rustsecp256k1zkp_v0_5_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); + rustsecp256k1zkp_v0_6_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); + rustsecp256k1zkp_v0_6_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); + rustsecp256k1zkp_v0_6_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); memset(overflows, 0xff, sizeof(overflows)); - rustsecp256k1zkp_v0_5_0_testrand256(tweak); - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &internal_pk, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(tweak); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &internal_pk, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(none, &output_pk, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(none, &output_pk, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(sign, &output_pk, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(sign, &output_pk, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, NULL, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, NULL, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, NULL, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, NULL, tweak) == 0); CHECK(ecount == 4); /* NULL internal_xonly_pk zeroes the output_pk */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, NULL) == 0); CHECK(ecount == 5); /* NULL tweak zeroes the output_pk */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); /* Invalid tweak zeroes the output_pk */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, overflows) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, overflows) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); /* A zero tweak is fine */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, zeros64) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, zeros64) == 1); /* Fails if the resulting key was infinity */ for (i = 0; i < count; i++) { - rustsecp256k1zkp_v0_5_0_scalar scalar_tweak; + rustsecp256k1zkp_v0_6_0_scalar scalar_tweak; /* Because sk may be negated before adding, we need to try with tweak = * sk as well as tweak = -sk. */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&scalar_tweak, sk, NULL); - rustsecp256k1zkp_v0_5_0_scalar_negate(&scalar_tweak, &scalar_tweak); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(tweak, &scalar_tweak); - CHECK((rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, sk) == 0) - || (rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&scalar_tweak, sk, NULL); + rustsecp256k1zkp_v0_6_0_scalar_negate(&scalar_tweak, &scalar_tweak); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(tweak, &scalar_tweak); + CHECK((rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, sk) == 0) + || (rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); } /* Invalid pk with a valid tweak */ memset(&internal_xonly_pk, 0, sizeof(internal_xonly_pk)); - rustsecp256k1zkp_v0_5_0_testrand256(tweak); + rustsecp256k1zkp_v0_6_0_testrand256(tweak); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(verify); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(verify); } void test_xonly_pubkey_tweak_check(void) { unsigned char zeros64[64] = { 0 }; unsigned char overflows[32]; unsigned char sk[32]; - rustsecp256k1zkp_v0_5_0_pubkey internal_pk; - rustsecp256k1zkp_v0_5_0_xonly_pubkey internal_xonly_pk; - rustsecp256k1zkp_v0_5_0_pubkey output_pk; - rustsecp256k1zkp_v0_5_0_xonly_pubkey output_xonly_pk; + rustsecp256k1zkp_v0_6_0_pubkey internal_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey internal_xonly_pk; + rustsecp256k1zkp_v0_6_0_pubkey output_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey output_xonly_pk; unsigned char output_pk32[32]; unsigned char buf32[32]; int pk_parity; unsigned char tweak[32]; int ecount; - rustsecp256k1zkp_v0_5_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); - rustsecp256k1zkp_v0_5_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); - rustsecp256k1zkp_v0_5_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); + rustsecp256k1zkp_v0_6_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); + rustsecp256k1zkp_v0_6_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); + rustsecp256k1zkp_v0_6_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); memset(overflows, 0xff, sizeof(overflows)); - rustsecp256k1zkp_v0_5_0_testrand256(tweak); - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &internal_pk, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(tweak); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &internal_pk, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(verify, &output_xonly_pk, &pk_parity, &output_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, buf32, &output_xonly_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(none, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(verify, &output_xonly_pk, &pk_parity, &output_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, buf32, &output_xonly_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(none, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(sign, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(sign, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(verify, NULL, pk_parity, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(verify, NULL, pk_parity, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 3); /* invalid pk_parity value */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(verify, buf32, 2, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(verify, buf32, 2, &internal_xonly_pk, tweak) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, NULL, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, NULL, tweak) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, NULL) == 0); CHECK(ecount == 5); memset(tweak, 1, sizeof(tweak)); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, NULL, &internal_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, output_pk32, &output_xonly_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, NULL, &internal_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, output_pk32, &output_xonly_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1); /* Wrong pk_parity */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0); /* Wrong public key */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, buf32, &internal_xonly_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, buf32, &internal_xonly_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); /* Overflowing tweak not allowed */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); CHECK(ecount == 5); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(verify); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(verify); } /* Starts with an initial pubkey and recursively creates N_PUBKEYS - 1 @@ -282,29 +319,29 @@ void test_xonly_pubkey_tweak_check(void) { #define N_PUBKEYS 32 void test_xonly_pubkey_tweak_recursive(void) { unsigned char sk[32]; - rustsecp256k1zkp_v0_5_0_pubkey pk[N_PUBKEYS]; + rustsecp256k1zkp_v0_6_0_pubkey pk[N_PUBKEYS]; unsigned char pk_serialized[32]; unsigned char tweak[N_PUBKEYS - 1][32]; int i; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pk[0], sk) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pk[0], sk) == 1); /* Add tweaks */ for (i = 0; i < N_PUBKEYS - 1; i++) { - rustsecp256k1zkp_v0_5_0_xonly_pubkey xonly_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey xonly_pk; memset(tweak[i], i + 1, sizeof(tweak[i])); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(ctx, &pk[i + 1], &xonly_pk, tweak[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(ctx, &pk[i + 1], &xonly_pk, tweak[i]) == 1); } /* Verify tweaks */ for (i = N_PUBKEYS - 1; i > 0; i--) { - rustsecp256k1zkp_v0_5_0_xonly_pubkey xonly_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey xonly_pk; int pk_parity; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk[i]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, pk_serialized, &xonly_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i - 1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, pk_serialized, &xonly_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i - 1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1); } } #undef N_PUBKEYS @@ -314,224 +351,224 @@ void test_keypair(void) { unsigned char sk_tmp[32]; unsigned char zeros96[96] = { 0 }; unsigned char overflows[32]; - rustsecp256k1zkp_v0_5_0_keypair keypair; - rustsecp256k1zkp_v0_5_0_pubkey pk, pk_tmp; - rustsecp256k1zkp_v0_5_0_xonly_pubkey xonly_pk, xonly_pk_tmp; + rustsecp256k1zkp_v0_6_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_pubkey pk, pk_tmp; + rustsecp256k1zkp_v0_6_0_xonly_pubkey xonly_pk, xonly_pk_tmp; int pk_parity, pk_parity_tmp; int ecount; - rustsecp256k1zkp_v0_5_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); - rustsecp256k1zkp_v0_5_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); - rustsecp256k1zkp_v0_5_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); + rustsecp256k1zkp_v0_6_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); + rustsecp256k1zkp_v0_6_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); + rustsecp256k1zkp_v0_6_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); CHECK(sizeof(zeros96) == sizeof(keypair)); memset(overflows, 0xFF, sizeof(overflows)); /* Test keypair_create */ ecount = 0; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(none, &keypair, sk) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(none, &keypair, sk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(verify, &keypair, sk) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(verify, &keypair, sk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, NULL, sk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, NULL, sk) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, &keypair, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, &keypair, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); CHECK(ecount == 4); /* Invalid secret key */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, &keypair, zeros96) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, &keypair, overflows) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, &keypair, zeros96) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, &keypair, overflows) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); /* Test keypair_pub */ ecount = 0; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_pub(none, &pk, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_pub(none, NULL, &keypair) == 0); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_pub(none, &pk, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_pub(none, NULL, &keypair) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_pub(none, &pk, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_pub(none, &pk, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &pk, sizeof(pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &pk, sizeof(pk)) == 0); /* Using an invalid keypair is fine for keypair_pub */ memset(&keypair, 0, sizeof(keypair)); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_pub(none, &pk, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &pk, sizeof(pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_pub(none, &pk, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &pk, sizeof(pk)) == 0); /* keypair holds the same pubkey as pubkey_create */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(sign, &pk, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_pub(none, &pk_tmp, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pk, &pk_tmp, sizeof(pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(sign, &pk, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_pub(none, &pk_tmp, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pk, &pk_tmp, sizeof(pk)) == 0); /** Test keypair_xonly_pub **/ ecount = 0; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(none, NULL, &pk_parity, &keypair) == 0); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(none, NULL, &pk_parity, &keypair) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(none, &xonly_pk, NULL, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(none, &xonly_pk, NULL, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0); /* Using an invalid keypair will set the xonly_pk to 0 (first reset * xonly_pk). */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1); memset(&keypair, 0, sizeof(keypair)); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0); CHECK(ecount == 3); /** keypair holds the same xonly pubkey as pubkey_create **/ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(sign, &pk, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(none, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(sign, &pk, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(none, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(pk)) == 0); CHECK(pk_parity == pk_parity_tmp); /* Test keypair_seckey */ ecount = 0; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_sec(none, sk_tmp, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_sec(none, NULL, &keypair) == 0); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_sec(none, sk_tmp, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_sec(none, NULL, &keypair) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_sec(none, sk_tmp, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_sec(none, sk_tmp, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0); /* keypair returns the same seckey it got */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(sign, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_sec(none, sk_tmp, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sk, sk_tmp, sizeof(sk_tmp)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(sign, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_sec(none, sk_tmp, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sk, sk_tmp, sizeof(sk_tmp)) == 0); /* Using an invalid keypair is fine for keypair_seckey */ memset(&keypair, 0, sizeof(keypair)); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_sec(none, sk_tmp, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_sec(none, sk_tmp, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(verify); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(verify); } void test_keypair_add(void) { unsigned char sk[32]; - rustsecp256k1zkp_v0_5_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_keypair keypair; unsigned char overflows[32]; unsigned char zeros96[96] = { 0 }; unsigned char tweak[32]; int i; int ecount = 0; - rustsecp256k1zkp_v0_5_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); - rustsecp256k1zkp_v0_5_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); - rustsecp256k1zkp_v0_5_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); + rustsecp256k1zkp_v0_6_0_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount); + rustsecp256k1zkp_v0_6_0_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount); + rustsecp256k1zkp_v0_6_0_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount); CHECK(sizeof(zeros96) == sizeof(keypair)); - rustsecp256k1zkp_v0_5_0_testrand256(sk); - rustsecp256k1zkp_v0_5_0_testrand256(tweak); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + rustsecp256k1zkp_v0_6_0_testrand256(tweak); memset(overflows, 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(none, &keypair, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(none, &keypair, tweak) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(sign, &keypair, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(sign, &keypair, tweak) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(verify, NULL, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(verify, NULL, tweak) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(verify, &keypair, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(verify, &keypair, NULL) == 0); CHECK(ecount == 4); /* This does not set the keypair to zeroes */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) != 0); /* Invalid tweak zeroes the keypair */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0); /* A zero tweak is fine */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1); /* Fails if the resulting keypair was (sk=0, pk=infinity) */ for (i = 0; i < count; i++) { - rustsecp256k1zkp_v0_5_0_scalar scalar_tweak; - rustsecp256k1zkp_v0_5_0_keypair keypair_tmp; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); + rustsecp256k1zkp_v0_6_0_scalar scalar_tweak; + rustsecp256k1zkp_v0_6_0_keypair keypair_tmp; + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); memcpy(&keypair_tmp, &keypair, sizeof(keypair)); /* Because sk may be negated before adding, we need to try with tweak = * sk as well as tweak = -sk. */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&scalar_tweak, sk, NULL); - rustsecp256k1zkp_v0_5_0_scalar_negate(&scalar_tweak, &scalar_tweak); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(tweak, &scalar_tweak); - CHECK((rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0) - || (rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0 - || rustsecp256k1zkp_v0_5_0_memcmp_var(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&scalar_tweak, sk, NULL); + rustsecp256k1zkp_v0_6_0_scalar_negate(&scalar_tweak, &scalar_tweak); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(tweak, &scalar_tweak); + CHECK((rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0) + || (rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0 + || rustsecp256k1zkp_v0_6_0_memcmp_var(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0); } /* Invalid keypair with a valid tweak */ memset(&keypair, 0, sizeof(keypair)); - rustsecp256k1zkp_v0_5_0_testrand256(tweak); + rustsecp256k1zkp_v0_6_0_testrand256(tweak); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0); /* Only seckey part of keypair invalid */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); memset(&keypair, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0); CHECK(ecount == 2); /* Only pubkey part of keypair invalid */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); memset(&keypair.data[32], 0, 64); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0); CHECK(ecount == 3); /* Check that the keypair_tweak_add implementation is correct */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); for (i = 0; i < count; i++) { - rustsecp256k1zkp_v0_5_0_xonly_pubkey internal_pk; - rustsecp256k1zkp_v0_5_0_xonly_pubkey output_pk; - rustsecp256k1zkp_v0_5_0_pubkey output_pk_xy; - rustsecp256k1zkp_v0_5_0_pubkey output_pk_expected; + rustsecp256k1zkp_v0_6_0_xonly_pubkey internal_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey output_pk; + rustsecp256k1zkp_v0_6_0_pubkey output_pk_xy; + rustsecp256k1zkp_v0_6_0_pubkey output_pk_expected; unsigned char pk32[32]; unsigned char sk32[32]; int pk_parity; - rustsecp256k1zkp_v0_5_0_testrand256(tweak); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(tweak); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1); /* Check that it passes xonly_pubkey_tweak_add_check */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1); /* Check that the resulting pubkey matches xonly_pubkey_tweak_add */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_pub(ctx, &output_pk_xy, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_pub(ctx, &output_pk_xy, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0); /* Check that the secret key in the keypair is tweaked correctly */ - CHECK(rustsecp256k1zkp_v0_5_0_keypair_sec(none, sk32, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &output_pk_expected, sk32) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_sec(none, sk32, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &output_pk_expected, sk32) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0); } - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(verify); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(verify); } void run_extrakeys_tests(void) { @@ -540,6 +577,7 @@ void run_extrakeys_tests(void) { test_xonly_pubkey_tweak(); test_xonly_pubkey_tweak_check(); test_xonly_pubkey_tweak_recursive(); + test_xonly_pubkey_comparison(); /* keypair tests */ test_keypair(); diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/Makefile.am.include index 8faddc8e..7b93b642 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_generator.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_generator.h noinst_HEADERS += src/modules/generator/main_impl.h noinst_HEADERS += src/modules/generator/tests_impl.h if USE_BENCHMARK diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/main_impl.h index 6d0a3655..233c4b16 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/main_impl.h @@ -14,60 +14,60 @@ #include "hash.h" #include "scalar.h" -static void rustsecp256k1zkp_v0_5_0_generator_load(rustsecp256k1zkp_v0_5_0_ge* ge, const rustsecp256k1zkp_v0_5_0_generator* gen) { +static void rustsecp256k1zkp_v0_6_0_generator_load(rustsecp256k1zkp_v0_6_0_ge* ge, const rustsecp256k1zkp_v0_6_0_generator* gen) { int succeed; - succeed = rustsecp256k1zkp_v0_5_0_fe_set_b32(&ge->x, &gen->data[0]); + succeed = rustsecp256k1zkp_v0_6_0_fe_set_b32(&ge->x, &gen->data[0]); VERIFY_CHECK(succeed != 0); - succeed = rustsecp256k1zkp_v0_5_0_fe_set_b32(&ge->y, &gen->data[32]); + succeed = rustsecp256k1zkp_v0_6_0_fe_set_b32(&ge->y, &gen->data[32]); VERIFY_CHECK(succeed != 0); ge->infinity = 0; (void) succeed; } -static void rustsecp256k1zkp_v0_5_0_generator_save(rustsecp256k1zkp_v0_5_0_generator *gen, rustsecp256k1zkp_v0_5_0_ge* ge) { - VERIFY_CHECK(!rustsecp256k1zkp_v0_5_0_ge_is_infinity(ge)); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge->x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge->y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&gen->data[0], &ge->x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&gen->data[32], &ge->y); +static void rustsecp256k1zkp_v0_6_0_generator_save(rustsecp256k1zkp_v0_6_0_generator *gen, rustsecp256k1zkp_v0_6_0_ge* ge) { + VERIFY_CHECK(!rustsecp256k1zkp_v0_6_0_ge_is_infinity(ge)); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge->x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge->y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&gen->data[0], &ge->x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&gen->data[32], &ge->y); } -int rustsecp256k1zkp_v0_5_0_generator_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_generator* gen, const unsigned char *input) { - rustsecp256k1zkp_v0_5_0_fe x; - rustsecp256k1zkp_v0_5_0_ge ge; +int rustsecp256k1zkp_v0_6_0_generator_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_generator* gen, const unsigned char *input) { + rustsecp256k1zkp_v0_6_0_fe x; + rustsecp256k1zkp_v0_6_0_ge ge; VERIFY_CHECK(ctx != NULL); ARG_CHECK(gen != NULL); ARG_CHECK(input != NULL); if ((input[0] & 0xFE) != 10 || - !rustsecp256k1zkp_v0_5_0_fe_set_b32(&x, &input[1]) || - !rustsecp256k1zkp_v0_5_0_ge_set_xquad(&ge, &x)) { + !rustsecp256k1zkp_v0_6_0_fe_set_b32(&x, &input[1]) || + !rustsecp256k1zkp_v0_6_0_ge_set_xquad(&ge, &x)) { return 0; } if (input[0] & 1) { - rustsecp256k1zkp_v0_5_0_ge_neg(&ge, &ge); + rustsecp256k1zkp_v0_6_0_ge_neg(&ge, &ge); } - rustsecp256k1zkp_v0_5_0_generator_save(gen, &ge); + rustsecp256k1zkp_v0_6_0_generator_save(gen, &ge); return 1; } -int rustsecp256k1zkp_v0_5_0_generator_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, const rustsecp256k1zkp_v0_5_0_generator* gen) { - rustsecp256k1zkp_v0_5_0_ge ge; +int rustsecp256k1zkp_v0_6_0_generator_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, const rustsecp256k1zkp_v0_6_0_generator* gen) { + rustsecp256k1zkp_v0_6_0_ge ge; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output != NULL); ARG_CHECK(gen != NULL); - rustsecp256k1zkp_v0_5_0_generator_load(&ge, gen); + rustsecp256k1zkp_v0_6_0_generator_load(&ge, gen); - output[0] = 11 ^ rustsecp256k1zkp_v0_5_0_fe_is_quad_var(&ge.y); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&output[1], &ge.x); + output[0] = 11 ^ rustsecp256k1zkp_v0_6_0_fe_is_quad_var(&ge.y); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&output[1], &ge.x); return 1; } -static void shallue_van_de_woestijne(rustsecp256k1zkp_v0_5_0_ge* ge, const rustsecp256k1zkp_v0_5_0_fe* t) { +static void shallue_van_de_woestijne(rustsecp256k1zkp_v0_6_0_ge* ge, const rustsecp256k1zkp_v0_6_0_fe* t) { /* Implements the algorithm from: * Indifferentiable Hashing to Barreto-Naehrig Curves * Pierre-Alain Fouque and Mehdi Tibouchi @@ -99,124 +99,124 @@ static void shallue_van_de_woestijne(rustsecp256k1zkp_v0_5_0_ge* ge, const rusts 1 / x2d = x3d = 1/j * wd */ - static const rustsecp256k1zkp_v0_5_0_fe c = SECP256K1_FE_CONST(0x0a2d2ba9, 0x3507f1df, 0x233770c2, 0xa797962c, 0xc61f6d15, 0xda14ecd4, 0x7d8d27ae, 0x1cd5f852); - static const rustsecp256k1zkp_v0_5_0_fe d = SECP256K1_FE_CONST(0x851695d4, 0x9a83f8ef, 0x919bb861, 0x53cbcb16, 0x630fb68a, 0xed0a766a, 0x3ec693d6, 0x8e6afa40); - static const rustsecp256k1zkp_v0_5_0_fe b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7); - static const rustsecp256k1zkp_v0_5_0_fe b_plus_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 8); + static const rustsecp256k1zkp_v0_6_0_fe c = SECP256K1_FE_CONST(0x0a2d2ba9, 0x3507f1df, 0x233770c2, 0xa797962c, 0xc61f6d15, 0xda14ecd4, 0x7d8d27ae, 0x1cd5f852); + static const rustsecp256k1zkp_v0_6_0_fe d = SECP256K1_FE_CONST(0x851695d4, 0x9a83f8ef, 0x919bb861, 0x53cbcb16, 0x630fb68a, 0xed0a766a, 0x3ec693d6, 0x8e6afa40); + static const rustsecp256k1zkp_v0_6_0_fe b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7); + static const rustsecp256k1zkp_v0_6_0_fe b_plus_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 8); - rustsecp256k1zkp_v0_5_0_fe wn, wd, x1n, x2n, x3n, x3d, jinv, tmp, x1, x2, x3, alphain, betain, gammain, y1, y2, y3; + rustsecp256k1zkp_v0_6_0_fe wn, wd, x1n, x2n, x3n, x3d, jinv, tmp, x1, x2, x3, alphain, betain, gammain, y1, y2, y3; int alphaquad, betaquad; - rustsecp256k1zkp_v0_5_0_fe_mul(&wn, &c, t); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&wd, t); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_add(&wd, &b_plus_one); /* mag 2 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&tmp, t, &wn); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_negate(&tmp, &tmp, 1); /* mag 2 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x1n, &d, &wd); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_add(&x1n, &tmp); /* mag 3 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&wn, &c, t); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&wd, t); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_add(&wd, &b_plus_one); /* mag 2 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&tmp, t, &wn); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_negate(&tmp, &tmp, 1); /* mag 2 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x1n, &d, &wd); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_add(&x1n, &tmp); /* mag 3 */ x2n = x1n; /* mag 3 */ - rustsecp256k1zkp_v0_5_0_fe_add(&x2n, &wd); /* mag 5 */ - rustsecp256k1zkp_v0_5_0_fe_negate(&x2n, &x2n, 5); /* mag 6 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x3d, &c, t); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&x3d, &x3d); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&x3n, &wd); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_add(&x3n, &x3d); /* mag 2 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&jinv, &x3d, &wd); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_inv(&jinv, &jinv); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x1, &x1n, &x3d); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x1, &x1, &jinv); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x2, &x2n, &x3d); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x2, &x2, &jinv); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x3, &x3n, &wd); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&x3, &x3, &jinv); /* mag 1 */ - - rustsecp256k1zkp_v0_5_0_fe_sqr(&alphain, &x1); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&alphain, &alphain, &x1); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_add(&alphain, &b); /* mag 2 */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&betain, &x2); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&betain, &betain, &x2); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_add(&betain, &b); /* mag 2 */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&gammain, &x3); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_mul(&gammain, &gammain, &x3); /* mag 1 */ - rustsecp256k1zkp_v0_5_0_fe_add(&gammain, &b); /* mag 2 */ - - alphaquad = rustsecp256k1zkp_v0_5_0_fe_sqrt(&y1, &alphain); - betaquad = rustsecp256k1zkp_v0_5_0_fe_sqrt(&y2, &betain); - rustsecp256k1zkp_v0_5_0_fe_sqrt(&y3, &gammain); - - rustsecp256k1zkp_v0_5_0_fe_cmov(&x1, &x2, (!alphaquad) & betaquad); - rustsecp256k1zkp_v0_5_0_fe_cmov(&y1, &y2, (!alphaquad) & betaquad); - rustsecp256k1zkp_v0_5_0_fe_cmov(&x1, &x3, (!alphaquad) & !betaquad); - rustsecp256k1zkp_v0_5_0_fe_cmov(&y1, &y3, (!alphaquad) & !betaquad); - - rustsecp256k1zkp_v0_5_0_ge_set_xy(ge, &x1, &y1); + rustsecp256k1zkp_v0_6_0_fe_add(&x2n, &wd); /* mag 5 */ + rustsecp256k1zkp_v0_6_0_fe_negate(&x2n, &x2n, 5); /* mag 6 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x3d, &c, t); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&x3d, &x3d); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&x3n, &wd); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_add(&x3n, &x3d); /* mag 2 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&jinv, &x3d, &wd); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_inv(&jinv, &jinv); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x1, &x1n, &x3d); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x1, &x1, &jinv); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x2, &x2n, &x3d); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x2, &x2, &jinv); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x3, &x3n, &wd); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&x3, &x3, &jinv); /* mag 1 */ + + rustsecp256k1zkp_v0_6_0_fe_sqr(&alphain, &x1); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&alphain, &alphain, &x1); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_add(&alphain, &b); /* mag 2 */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&betain, &x2); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&betain, &betain, &x2); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_add(&betain, &b); /* mag 2 */ + rustsecp256k1zkp_v0_6_0_fe_sqr(&gammain, &x3); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_mul(&gammain, &gammain, &x3); /* mag 1 */ + rustsecp256k1zkp_v0_6_0_fe_add(&gammain, &b); /* mag 2 */ + + alphaquad = rustsecp256k1zkp_v0_6_0_fe_sqrt(&y1, &alphain); + betaquad = rustsecp256k1zkp_v0_6_0_fe_sqrt(&y2, &betain); + rustsecp256k1zkp_v0_6_0_fe_sqrt(&y3, &gammain); + + rustsecp256k1zkp_v0_6_0_fe_cmov(&x1, &x2, (!alphaquad) & betaquad); + rustsecp256k1zkp_v0_6_0_fe_cmov(&y1, &y2, (!alphaquad) & betaquad); + rustsecp256k1zkp_v0_6_0_fe_cmov(&x1, &x3, (!alphaquad) & !betaquad); + rustsecp256k1zkp_v0_6_0_fe_cmov(&y1, &y3, (!alphaquad) & !betaquad); + + rustsecp256k1zkp_v0_6_0_ge_set_xy(ge, &x1, &y1); /* The linked algorithm from the paper uses the Jacobi symbol of t to * determine the Jacobi symbol of the produced y coordinate. Since the * rest of the algorithm only uses t^2, we can safely use another criterion * as long as negation of t results in negation of the y coordinate. Here * we choose to use t's oddness, as it is faster to determine. */ - rustsecp256k1zkp_v0_5_0_fe_negate(&tmp, &ge->y, 1); - rustsecp256k1zkp_v0_5_0_fe_cmov(&ge->y, &tmp, rustsecp256k1zkp_v0_5_0_fe_is_odd(t)); + rustsecp256k1zkp_v0_6_0_fe_negate(&tmp, &ge->y, 1); + rustsecp256k1zkp_v0_6_0_fe_cmov(&ge->y, &tmp, rustsecp256k1zkp_v0_6_0_fe_is_odd(t)); } -static int rustsecp256k1zkp_v0_5_0_generator_generate_internal(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_generator* gen, const unsigned char *key32, const unsigned char *blind32) { +static int rustsecp256k1zkp_v0_6_0_generator_generate_internal(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_generator* gen, const unsigned char *key32, const unsigned char *blind32) { static const unsigned char prefix1[17] = "1st generation: "; static const unsigned char prefix2[17] = "2nd generation: "; - rustsecp256k1zkp_v0_5_0_fe t = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 4); - rustsecp256k1zkp_v0_5_0_ge add; - rustsecp256k1zkp_v0_5_0_gej accum; + rustsecp256k1zkp_v0_6_0_fe t = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 4); + rustsecp256k1zkp_v0_6_0_ge add; + rustsecp256k1zkp_v0_6_0_gej accum; int overflow; - rustsecp256k1zkp_v0_5_0_sha256 sha256; + rustsecp256k1zkp_v0_6_0_sha256 sha256; unsigned char b32[32]; int ret = 1; if (blind32) { - rustsecp256k1zkp_v0_5_0_scalar blind; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&blind, blind32, &overflow); + rustsecp256k1zkp_v0_6_0_scalar blind; + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&blind, blind32, &overflow); ret = !overflow; - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &accum, &blind); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &accum, &blind); } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256, prefix1, 16); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256, key32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256, b32); - ret &= rustsecp256k1zkp_v0_5_0_fe_set_b32(&t, b32); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256, prefix1, 16); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256, key32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256, b32); + ret &= rustsecp256k1zkp_v0_6_0_fe_set_b32(&t, b32); shallue_van_de_woestijne(&add, &t); if (blind32) { - rustsecp256k1zkp_v0_5_0_gej_add_ge(&accum, &accum, &add); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&accum, &accum, &add); } else { - rustsecp256k1zkp_v0_5_0_gej_set_ge(&accum, &add); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&accum, &add); } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256, prefix2, 16); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256, key32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256, b32); - ret &= rustsecp256k1zkp_v0_5_0_fe_set_b32(&t, b32); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256, prefix2, 16); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256, key32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256, b32); + ret &= rustsecp256k1zkp_v0_6_0_fe_set_b32(&t, b32); shallue_van_de_woestijne(&add, &t); - rustsecp256k1zkp_v0_5_0_gej_add_ge(&accum, &accum, &add); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&accum, &accum, &add); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&add, &accum); - rustsecp256k1zkp_v0_5_0_generator_save(gen, &add); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&add, &accum); + rustsecp256k1zkp_v0_6_0_generator_save(gen, &add); return ret; } -int rustsecp256k1zkp_v0_5_0_generator_generate(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_generator* gen, const unsigned char *key32) { +int rustsecp256k1zkp_v0_6_0_generator_generate(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_generator* gen, const unsigned char *key32) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(gen != NULL); ARG_CHECK(key32 != NULL); - return rustsecp256k1zkp_v0_5_0_generator_generate_internal(ctx, gen, key32, NULL); + return rustsecp256k1zkp_v0_6_0_generator_generate_internal(ctx, gen, key32, NULL); } -int rustsecp256k1zkp_v0_5_0_generator_generate_blinded(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_generator* gen, const unsigned char *key32, const unsigned char *blind32) { +int rustsecp256k1zkp_v0_6_0_generator_generate_blinded(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_generator* gen, const unsigned char *key32, const unsigned char *blind32) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(gen != NULL); ARG_CHECK(key32 != NULL); ARG_CHECK(blind32 != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); - return rustsecp256k1zkp_v0_5_0_generator_generate_internal(ctx, gen, key32, blind32); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + return rustsecp256k1zkp_v0_6_0_generator_generate_internal(ctx, gen, key32, blind32); } #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/tests_impl.h index df143068..aac15e35 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/generator/tests_impl.h @@ -21,64 +21,64 @@ void test_generator_api(void) { unsigned char key[32]; unsigned char blind[32]; unsigned char sergen[33]; - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_generator gen; + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_generator gen; int32_t ecount = 0; - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_testrand256(key); - rustsecp256k1zkp_v0_5_0_testrand256(blind); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_testrand256(key); + rustsecp256k1zkp_v0_6_0_testrand256(blind); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate(none, &gen, key) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate(none, &gen, key) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate(none, NULL, key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate(none, NULL, key) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate(none, &gen, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate(none, &gen, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(sign, &gen, key, blind) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(sign, &gen, key, blind) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(vrfy, &gen, key, blind) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(vrfy, &gen, key, blind) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(none, &gen, key, blind) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(none, &gen, key, blind) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(vrfy, NULL, key, blind) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(vrfy, NULL, key, blind) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(vrfy, &gen, NULL, blind) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(vrfy, &gen, NULL, blind) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(vrfy, &gen, key, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(vrfy, &gen, key, NULL) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_generator_serialize(none, sergen, &gen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_generator_serialize(none, sergen, &gen) == 1); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_generator_serialize(none, NULL, &gen) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_serialize(none, NULL, &gen) == 0); CHECK(ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_generator_serialize(none, sergen, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_serialize(none, sergen, NULL) == 0); CHECK(ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_generator_serialize(none, sergen, &gen) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(none, &gen, sergen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_generator_serialize(none, sergen, &gen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(none, &gen, sergen) == 1); CHECK(ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(none, NULL, sergen) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(none, NULL, sergen) == 0); CHECK(ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(none, &gen, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(none, &gen, NULL) == 0); CHECK(ecount == 11); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); } void test_shallue_van_de_woestijne(void) { /* Matches with the output of the shallue_van_de_woestijne.sage SAGE program */ - static const rustsecp256k1zkp_v0_5_0_ge_storage results[32] = { + static const rustsecp256k1zkp_v0_6_0_ge_storage results[32] = { SECP256K1_GE_STORAGE_CONST(0xedd1fd3e, 0x327ce90c, 0xc7a35426, 0x14289aee, 0x9682003e, 0x9cf7dcc9, 0xcf2ca974, 0x3be5aa0c, 0x0225f529, 0xee75acaf, 0xccfc4560, 0x26c5e46b, 0xf80237a3, 0x3924655a, 0x16f90e88, 0x085ed52a), SECP256K1_GE_STORAGE_CONST(0xedd1fd3e, 0x327ce90c, 0xc7a35426, 0x14289aee, 0x9682003e, 0x9cf7dcc9, 0xcf2ca974, 0x3be5aa0c, 0xfdda0ad6, 0x118a5350, 0x3303ba9f, 0xd93a1b94, 0x07fdc85c, 0xc6db9aa5, 0xe906f176, 0xf7a12705), SECP256K1_GE_STORAGE_CONST(0x2c5cdc9c, 0x338152fa, 0x85de92cb, 0x1bee9907, 0x765a922e, 0x4f037cce, 0x14ecdbf2, 0x2f78fe15, 0x56716069, 0x6818286b, 0x72f01a3e, 0x5e8caca7, 0x36249160, 0xc7ded69d, 0xd51913c3, 0x03a2fa97), @@ -113,28 +113,28 @@ void test_shallue_van_de_woestijne(void) { SECP256K1_GE_STORAGE_CONST(0xf75763bc, 0x2907e79b, 0x125e33c3, 0x9a027f48, 0x0f8c6409, 0x2153432f, 0x967bc2b1, 0x1d1f5cf0, 0x4b571239, 0xc9c6e4c6, 0x643de63f, 0xc2fcced7, 0x2432b9c1, 0x2daf9c6b, 0xf9e47859, 0x61aef9fa), }; - rustsecp256k1zkp_v0_5_0_ge ge; - rustsecp256k1zkp_v0_5_0_fe fe; - rustsecp256k1zkp_v0_5_0_ge_storage ges; + rustsecp256k1zkp_v0_6_0_ge ge; + rustsecp256k1zkp_v0_6_0_fe fe; + rustsecp256k1zkp_v0_6_0_ge_storage ges; int i, s; for (i = 1; i <= 16; i++) { - rustsecp256k1zkp_v0_5_0_fe_set_int(&fe, i); + rustsecp256k1zkp_v0_6_0_fe_set_int(&fe, i); for (s = 0; s < 2; s++) { if (s) { - rustsecp256k1zkp_v0_5_0_fe_negate(&fe, &fe, 1); - rustsecp256k1zkp_v0_5_0_fe_normalize(&fe); + rustsecp256k1zkp_v0_6_0_fe_negate(&fe, &fe, 1); + rustsecp256k1zkp_v0_6_0_fe_normalize(&fe); } shallue_van_de_woestijne(&ge, &fe); - rustsecp256k1zkp_v0_5_0_ge_to_storage(&ges, &ge); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&ges, &ge); - CHECK(memcmp(&ges, &results[i * 2 + s - 2], sizeof(rustsecp256k1zkp_v0_5_0_ge_storage)) == 0); + CHECK(memcmp(&ges, &results[i * 2 + s - 2], sizeof(rustsecp256k1zkp_v0_6_0_ge_storage)) == 0); } } } void test_generator_generate(void) { - static const rustsecp256k1zkp_v0_5_0_ge_storage results[32] = { + static const rustsecp256k1zkp_v0_6_0_ge_storage results[32] = { SECP256K1_GE_STORAGE_CONST(0x806cd8ed, 0xd6c153e3, 0x4aa9b9a0, 0x8755c4be, 0x4718b1ef, 0xb26cb93f, 0xfdd99e1b, 0x21f2af8e, 0xc7062208, 0xcc649a03, 0x1bdc1a33, 0x9d01f115, 0x4bcd0dca, 0xfe0b875d, 0x62f35f73, 0x28673006), SECP256K1_GE_STORAGE_CONST(0xd91b15ec, 0x47a811f4, 0xaa189561, 0xd13f5c4d, 0x4e81f10d, 0xc7dc551f, 0x4fea9b84, 0x610314c4, 0x9b0ada1e, 0xb38efd67, 0x8bff0b6c, 0x7d7315f7, 0xb49b8cc5, 0xa679fad4, 0xc94f9dc6, 0x9da66382), SECP256K1_GE_STORAGE_CONST(0x11c00de6, 0xf885035e, 0x76051430, 0xa3c38b2a, 0x5f86ab8c, 0xf66dae58, 0x04ea7307, 0x348b19bf, 0xe0858ae7, 0x61dcb1ba, 0xff247e37, 0xd38fcd88, 0xf3bd7911, 0xaa4ed6e0, 0x28d792dd, 0x3ee1ac09), @@ -168,34 +168,34 @@ void test_generator_generate(void) { SECP256K1_GE_STORAGE_CONST(0x150df593, 0x5b6956a0, 0x0cfed843, 0xb9d6ffce, 0x4f790022, 0xea18730f, 0xc495111d, 0x91568e55, 0x6700a2ca, 0x9ff4ed32, 0xc1697312, 0x4eb51ce3, 0x5656344b, 0x65a1e3d5, 0xd6c1f7ce, 0x29233f82), SECP256K1_GE_STORAGE_CONST(0x38e02eaf, 0x2c8774fd, 0x58b8b373, 0x732457f1, 0x16dbe53b, 0xea5683d9, 0xada20dd7, 0x14ce20a6, 0x6ac5362e, 0xbb425416, 0x8250f43f, 0xa4ee2b63, 0x0406324f, 0x1c876d60, 0xebe5be2c, 0x6eb1515b), }; - rustsecp256k1zkp_v0_5_0_generator gen; - rustsecp256k1zkp_v0_5_0_ge ge; - rustsecp256k1zkp_v0_5_0_ge_storage ges; + rustsecp256k1zkp_v0_6_0_generator gen; + rustsecp256k1zkp_v0_6_0_ge ge; + rustsecp256k1zkp_v0_6_0_ge_storage ges; int i; unsigned char v[32]; unsigned char s[32] = {0}; - rustsecp256k1zkp_v0_5_0_scalar sc; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sc, s, NULL); + rustsecp256k1zkp_v0_6_0_scalar sc; + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sc, s, NULL); for (i = 1; i <= 32; i++) { memset(v, 0, 31); v[31] = i; - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &gen, v, s)); - rustsecp256k1zkp_v0_5_0_generator_load(&ge, &gen); - rustsecp256k1zkp_v0_5_0_ge_to_storage(&ges, &ge); - CHECK(memcmp(&ges, &results[i - 1], sizeof(rustsecp256k1zkp_v0_5_0_ge_storage)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate(ctx, &gen, v)); - rustsecp256k1zkp_v0_5_0_generator_load(&ge, &gen); - rustsecp256k1zkp_v0_5_0_ge_to_storage(&ges, &ge); - CHECK(memcmp(&ges, &results[i - 1], sizeof(rustsecp256k1zkp_v0_5_0_ge_storage)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &gen, v, s)); + rustsecp256k1zkp_v0_6_0_generator_load(&ge, &gen); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&ges, &ge); + CHECK(memcmp(&ges, &results[i - 1], sizeof(rustsecp256k1zkp_v0_6_0_ge_storage)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate(ctx, &gen, v)); + rustsecp256k1zkp_v0_6_0_generator_load(&ge, &gen); + rustsecp256k1zkp_v0_6_0_ge_to_storage(&ges, &ge); + CHECK(memcmp(&ges, &results[i - 1], sizeof(rustsecp256k1zkp_v0_6_0_ge_storage)) == 0); } /* There is no range restriction on the value, but the blinder must be a * valid scalar. Check that an invalid blinder causes the call to fail * but not crash. */ memset(v, 0xff, 32); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate(ctx, &gen, v)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate(ctx, &gen, v)); memset(s, 0xff, 32); - CHECK(!rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &gen, v, s)); + CHECK(!rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &gen, v, s)); } void test_generator_fixed_vector(void) { @@ -205,16 +205,16 @@ void test_generator_fixed_vector(void) { 0x5c, 0x77, 0x8e, 0x4b, 0x8c, 0xef, 0x3c, 0xa7, 0xab, 0xac, 0x09, 0xb9, 0x5c, 0x70, 0x9e, 0xe5 }; unsigned char result[33]; - rustsecp256k1zkp_v0_5_0_generator parse; + rustsecp256k1zkp_v0_6_0_generator parse; - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &parse, two_g)); - CHECK(rustsecp256k1zkp_v0_5_0_generator_serialize(ctx, result, &parse)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &parse, two_g)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_serialize(ctx, result, &parse)); CHECK(memcmp(two_g, result, 33) == 0); result[0] = 0x0a; - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &parse, result)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &parse, result)); result[0] = 0x08; - CHECK(!rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &parse, result)); + CHECK(!rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &parse, result)); } void run_generator_tests(void) { diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/Makefile.am.include index 0936eb9b..270194a6 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_musig.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_musig.h noinst_HEADERS += src/modules/musig/main_impl.h noinst_HEADERS += src/modules/musig/tests_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/example.c b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/example.c index 8e3b0765..9157fce0 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/example.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/example.c @@ -6,7 +6,7 @@ /** * This file demonstrates how to use the MuSig module to create a multisignature. - * Additionally, see the documentation in include/rustsecp256k1zkp_v0_5_0_musig.h. + * Additionally, see the documentation in include/rustsecp256k1zkp_v0_6_0_musig.h. */ #include @@ -18,9 +18,9 @@ /* Number of public keys involved in creating the aggregate signature */ #define N_SIGNERS 3 /* Create a key pair and store it in seckey and pubkey */ -int create_keypair(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey) { +int create_keypair(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey) { int ret; - rustsecp256k1zkp_v0_5_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_keypair keypair; FILE *frand = fopen("/dev/urandom", "r"); if (frand == NULL) { return 0; @@ -31,36 +31,36 @@ int create_keypair(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *se return 0; } /* The probability that this not a valid secret key is approximately 2^-128 */ - } while (!rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, seckey)); + } while (!rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, seckey)); fclose(frand); - ret = rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, seckey); - ret &= rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, pubkey, NULL, &keypair); + ret = rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, seckey); + ret &= rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, pubkey, NULL, &keypair); return ret; } /* Sign a message hash with the given key pairs and store the result in sig */ -int sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char seckeys[][32], const rustsecp256k1zkp_v0_5_0_xonly_pubkey* pubkeys, const unsigned char* msg32, unsigned char *sig64) { - rustsecp256k1zkp_v0_5_0_musig_session musig_session[N_SIGNERS]; +int sign(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char seckeys[][32], const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pubkeys, const unsigned char* msg32, unsigned char *sig64) { + rustsecp256k1zkp_v0_6_0_musig_session musig_session[N_SIGNERS]; unsigned char nonce_commitment[N_SIGNERS][32]; const unsigned char *nonce_commitment_ptr[N_SIGNERS]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS]; unsigned char nonce[N_SIGNERS][32]; int i, j; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig[N_SIGNERS]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig[N_SIGNERS]; for (i = 0; i < N_SIGNERS; i++) { FILE *frand; unsigned char session_id32[32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session; /* Create combined pubkey and initialize signer data */ - if (!rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, NULL, &combined_pk, &pre_session, pubkeys, N_SIGNERS)) { + if (!rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, NULL, &combined_pk, &pre_session, pubkeys, N_SIGNERS)) { return 0; } /* Create random session ID. It is absolutely necessary that the session ID - * is unique for every call of rustsecp256k1zkp_v0_5_0_musig_session_init. Otherwise + * is unique for every call of rustsecp256k1zkp_v0_6_0_musig_session_init. Otherwise * it's trivial for an attacker to extract the secret key! */ frand = fopen("/dev/urandom", "r"); if(frand == NULL) { @@ -72,7 +72,7 @@ int sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char seckeys[][32] } fclose(frand); /* Initialize session */ - if (!rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &musig_session[i], signer_data[i], nonce_commitment[i], session_id32, msg32, &combined_pk, &pre_session, N_SIGNERS, i, seckeys[i])) { + if (!rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &musig_session[i], signer_data[i], nonce_commitment[i], session_id32, msg32, &combined_pk, &pre_session, N_SIGNERS, i, seckeys[i])) { return 0; } nonce_commitment_ptr[i] = &nonce_commitment[i][0]; @@ -80,26 +80,26 @@ int sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char seckeys[][32] /* Communication round 1: Exchange nonce commitments */ for (i = 0; i < N_SIGNERS; i++) { /* Set nonce commitments in the signer data and get the own public nonce */ - if (!rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], nonce[i], nonce_commitment_ptr, N_SIGNERS, NULL)) { + if (!rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], nonce[i], nonce_commitment_ptr, N_SIGNERS, NULL)) { return 0; } } /* Communication round 2: Exchange nonces */ for (i = 0; i < N_SIGNERS; i++) { for (j = 0; j < N_SIGNERS; j++) { - if (!rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signer_data[i][j], nonce[j])) { + if (!rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signer_data[i][j], nonce[j])) { /* Signer j's nonce does not match the nonce commitment. In this case * abort the protocol. If you make another attempt at finishing the * protocol, create a new session (with a fresh session ID!). */ return 0; } } - if (!rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &musig_session[i], signer_data[i], N_SIGNERS, NULL, NULL)) { + if (!rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &musig_session[i], signer_data[i], N_SIGNERS, NULL, NULL)) { return 0; } } for (i = 0; i < N_SIGNERS; i++) { - if (!rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &musig_session[i], &partial_sig[i])) { + if (!rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &musig_session[i], &partial_sig[i])) { return 0; } } @@ -108,7 +108,7 @@ int sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char seckeys[][32] for (j = 0; j < N_SIGNERS; j++) { /* To check whether signing was successful, it suffices to either verify * the combined signature with the combined public key using - * rustsecp256k1zkp_v0_5_0_schnorrsig_verify, or verify all partial signatures of all + * rustsecp256k1zkp_v0_6_0_schnorrsig_verify, or verify all partial signatures of all * signers individually. Verifying the combined signature is cheaper but * verifying the individual partial signatures has the advantage that it * can be used to determine which of the partial signatures are invalid @@ -117,25 +117,25 @@ int sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char seckeys[][32] * fine to first verify the combined sig, and only verify the individual * sigs if it does not work. */ - if (!rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &musig_session[i], &signer_data[i][j], &partial_sig[j], &pubkeys[j])) { + if (!rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &musig_session[i], &signer_data[i][j], &partial_sig[j], &pubkeys[j])) { return 0; } } } - return rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(ctx, &musig_session[0], sig64, partial_sig, N_SIGNERS); + return rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(ctx, &musig_session[0], sig64, partial_sig, N_SIGNERS); } int main(void) { - rustsecp256k1zkp_v0_5_0_context* ctx; + rustsecp256k1zkp_v0_6_0_context* ctx; int i; unsigned char seckeys[N_SIGNERS][32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pubkeys[N_SIGNERS]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pubkeys[N_SIGNERS]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk; unsigned char msg[32] = "this_could_be_the_hash_of_a_msg!"; unsigned char sig[64]; /* Create a context for signing and verification */ - ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); printf("Creating key pairs......"); for (i = 0; i < N_SIGNERS; i++) { if (!create_keypair(ctx, seckeys[i], &pubkeys[i])) { @@ -145,7 +145,7 @@ int sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char seckeys[][32] } printf("ok\n"); printf("Combining public keys..."); - if (!rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, NULL, &combined_pk, NULL, pubkeys, N_SIGNERS)) { + if (!rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, NULL, &combined_pk, NULL, pubkeys, N_SIGNERS)) { printf("FAILED\n"); return 1; } @@ -157,12 +157,12 @@ int sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char seckeys[][32] } printf("ok\n"); printf("Verifying signature....."); - if (!rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig, msg, &combined_pk)) { + if (!rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig, msg, &combined_pk)) { printf("FAILED\n"); return 1; } printf("ok\n"); - rustsecp256k1zkp_v0_5_0_context_destroy(ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(ctx); return 0; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/main_impl.h index cd0412db..b9b43a78 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/main_impl.h @@ -13,26 +13,26 @@ #include "hash.h" /* Computes ell = SHA256(pk[0], ..., pk[np-1]) */ -static int rustsecp256k1zkp_v0_5_0_musig_compute_ell(const rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *ell, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pk, size_t np) { - rustsecp256k1zkp_v0_5_0_sha256 sha; +static int rustsecp256k1zkp_v0_6_0_musig_compute_ell(const rustsecp256k1zkp_v0_6_0_context *ctx, unsigned char *ell, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pk, size_t np) { + rustsecp256k1zkp_v0_6_0_sha256 sha; size_t i; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); for (i = 0; i < np; i++) { unsigned char ser[32]; - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, ser, &pk[i])) { + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, ser, &pk[i])) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, ser, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, ser, 32); } - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, ell); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, ell); return 1; } /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("MuSig coefficient")||SHA256("MuSig coefficient"). */ -static void rustsecp256k1zkp_v0_5_0_musig_sha256_init_tagged(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_musig_sha256_init_tagged(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0x0fd0690cul; sha->s[1] = 0xfefeae97ul; @@ -46,13 +46,13 @@ static void rustsecp256k1zkp_v0_5_0_musig_sha256_init_tagged(rustsecp256k1zkp_v0 } /* Compute r = SHA256(ell, idx). The four bytes of idx are serialized least significant byte first. */ -static void rustsecp256k1zkp_v0_5_0_musig_coefficient(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char *ell, uint32_t idx) { - rustsecp256k1zkp_v0_5_0_sha256 sha; +static void rustsecp256k1zkp_v0_6_0_musig_coefficient(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char *ell, uint32_t idx) { + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char buf[32]; size_t i; - rustsecp256k1zkp_v0_5_0_musig_sha256_init_tagged(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, ell, 32); + rustsecp256k1zkp_v0_6_0_musig_sha256_init_tagged(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, ell, 32); /* We're hashing the index of the signer instead of its public key as specified * in the MuSig paper. This reduces the total amount of data that needs to be * hashed. @@ -67,27 +67,27 @@ static void rustsecp256k1zkp_v0_5_0_musig_coefficient(rustsecp256k1zkp_v0_5_0_sc * ell), the index is just a different encoding of the public key.*/ for (i = 0; i < sizeof(uint32_t); i++) { unsigned char c = idx; - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, &c, 1); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, &c, 1); idx >>= 8; } - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, buf); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, buf, NULL); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, buf); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(r, buf, NULL); } typedef struct { - const rustsecp256k1zkp_v0_5_0_context *ctx; + const rustsecp256k1zkp_v0_6_0_context *ctx; unsigned char ell[32]; - const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pks; -} rustsecp256k1zkp_v0_5_0_musig_pubkey_combine_ecmult_data; + const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pks; +} rustsecp256k1zkp_v0_6_0_musig_pubkey_combine_ecmult_data; /* Callback for batch EC multiplication to compute ell_0*P0 + ell_1*P1 + ... */ -static int rustsecp256k1zkp_v0_5_0_musig_pubkey_combine_callback(rustsecp256k1zkp_v0_5_0_scalar *sc, rustsecp256k1zkp_v0_5_0_ge *pt, size_t idx, void *data) { - rustsecp256k1zkp_v0_5_0_musig_pubkey_combine_ecmult_data *ctx = (rustsecp256k1zkp_v0_5_0_musig_pubkey_combine_ecmult_data *) data; - rustsecp256k1zkp_v0_5_0_musig_coefficient(sc, ctx->ell, idx); - return rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx->ctx, pt, &ctx->pks[idx]); +static int rustsecp256k1zkp_v0_6_0_musig_pubkey_combine_callback(rustsecp256k1zkp_v0_6_0_scalar *sc, rustsecp256k1zkp_v0_6_0_ge *pt, size_t idx, void *data) { + rustsecp256k1zkp_v0_6_0_musig_pubkey_combine_ecmult_data *ctx = (rustsecp256k1zkp_v0_6_0_musig_pubkey_combine_ecmult_data *) data; + rustsecp256k1zkp_v0_6_0_musig_coefficient(sc, ctx->ell, idx); + return rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx->ctx, pt, &ctx->pks[idx]); } -static void rustsecp256k1zkp_v0_5_0_musig_signers_init(rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, uint32_t n_signers) { +static void rustsecp256k1zkp_v0_6_0_musig_signers_init(rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, uint32_t n_signers) { uint32_t i; for (i = 0; i < n_signers; i++) { memset(&signers[i], 0, sizeof(signers[i])); @@ -98,30 +98,30 @@ static void rustsecp256k1zkp_v0_5_0_musig_signers_init(rustsecp256k1zkp_v0_5_0_m static const uint64_t pre_session_magic = 0xf4adbbdf7c7dd304UL; -int rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scratch_space *scratch, rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkeys, size_t n_pubkeys) { - rustsecp256k1zkp_v0_5_0_musig_pubkey_combine_ecmult_data ecmult_data; - rustsecp256k1zkp_v0_5_0_gej pkj; - rustsecp256k1zkp_v0_5_0_ge pkp; +int rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scratch_space *scratch, rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkeys, size_t n_pubkeys) { + rustsecp256k1zkp_v0_6_0_musig_pubkey_combine_ecmult_data ecmult_data; + rustsecp256k1zkp_v0_6_0_gej pkj; + rustsecp256k1zkp_v0_6_0_ge pkp; int pk_parity; VERIFY_CHECK(ctx != NULL); ARG_CHECK(combined_pk != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(pubkeys != NULL); ARG_CHECK(n_pubkeys > 0); ecmult_data.ctx = ctx; ecmult_data.pks = pubkeys; - if (!rustsecp256k1zkp_v0_5_0_musig_compute_ell(ctx, ecmult_data.ell, pubkeys, n_pubkeys)) { + if (!rustsecp256k1zkp_v0_6_0_musig_compute_ell(ctx, ecmult_data.ell, pubkeys, n_pubkeys)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &pkj, NULL, rustsecp256k1zkp_v0_5_0_musig_pubkey_combine_callback, (void *) &ecmult_data, n_pubkeys)) { + if (!rustsecp256k1zkp_v0_6_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &pkj, NULL, rustsecp256k1zkp_v0_6_0_musig_pubkey_combine_callback, (void *) &ecmult_data, n_pubkeys)) { return 0; } - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pkp, &pkj); - rustsecp256k1zkp_v0_5_0_fe_normalize(&pkp.y); - pk_parity = rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(&pkp); - rustsecp256k1zkp_v0_5_0_xonly_pubkey_save(combined_pk, &pkp); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pkp, &pkj); + rustsecp256k1zkp_v0_6_0_fe_normalize(&pkp.y); + pk_parity = rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(&pkp); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_save(combined_pk, &pkp); if (pre_session != NULL) { pre_session->magic = pre_session_magic; @@ -132,8 +132,8 @@ int rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(const rustsecp256k1zkp_v0_5_0_c return 1; } -int rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, rustsecp256k1zkp_v0_5_0_pubkey *output_pubkey, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge pk; +int rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, rustsecp256k1zkp_v0_6_0_pubkey *output_pubkey, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge pk; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pre_session != NULL); @@ -143,35 +143,35 @@ int rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(const rustsecp256k1zkp_v0_5_0 ARG_CHECK(pre_session->is_tweaked == 0); pre_session->internal_key_parity = pre_session->pk_parity; - if(!rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add(ctx, output_pubkey, internal_pubkey, tweak32)) { + if(!rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add(ctx, output_pubkey, internal_pubkey, tweak32)) { return 0; } memcpy(pre_session->tweak, tweak32, 32); pre_session->is_tweaked = 1; - if (!rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &pk, output_pubkey)) { + if (!rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &pk, output_pubkey)) { return 0; } - pre_session->pk_parity = rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(&pk); + pre_session->pk_parity = rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(&pk); return 1; } static const uint64_t session_magic = 0xd92e6fc1ee41b4cbUL; -int rustsecp256k1zkp_v0_5_0_musig_session_init(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_session *session, rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, const rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, size_t n_signers, size_t my_index, const unsigned char *seckey) { +int rustsecp256k1zkp_v0_6_0_musig_session_init(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_session *session, rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, const rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, size_t n_signers, size_t my_index, const unsigned char *seckey) { unsigned char combined_ser[32]; int overflow; - rustsecp256k1zkp_v0_5_0_scalar secret; - rustsecp256k1zkp_v0_5_0_scalar mu; - rustsecp256k1zkp_v0_5_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_gej pj; - rustsecp256k1zkp_v0_5_0_ge p; + rustsecp256k1zkp_v0_6_0_scalar secret; + rustsecp256k1zkp_v0_6_0_scalar mu; + rustsecp256k1zkp_v0_6_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_gej pj; + rustsecp256k1zkp_v0_6_0_ge p; unsigned char nonce_ser[32]; size_t nonce_ser_size = sizeof(nonce_ser); VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(session != NULL); ARG_CHECK(signers != NULL); ARG_CHECK(nonce_commitment32 != NULL); @@ -198,15 +198,15 @@ int rustsecp256k1zkp_v0_5_0_musig_session_init(const rustsecp256k1zkp_v0_5_0_con session->pre_session = *pre_session; session->has_secret_data = 1; session->n_signers = (uint32_t) n_signers; - rustsecp256k1zkp_v0_5_0_musig_signers_init(signers, session->n_signers); + rustsecp256k1zkp_v0_6_0_musig_signers_init(signers, session->n_signers); /* Compute secret key */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&secret, seckey, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&secret, seckey, &overflow); if (overflow) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&secret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&secret); return 0; } - rustsecp256k1zkp_v0_5_0_musig_coefficient(&mu, session->pre_session.pk_hash, (uint32_t) my_index); + rustsecp256k1zkp_v0_6_0_musig_coefficient(&mu, session->pre_session.pk_hash, (uint32_t) my_index); /* Compute the signer's public key point and determine if the secret is * negated before signing. That happens if if the signer's pubkey has an odd * Y coordinate XOR the MuSig-combined pubkey has an odd Y coordinate XOR @@ -217,7 +217,7 @@ int rustsecp256k1zkp_v0_5_0_musig_session_init(const rustsecp256k1zkp_v0_5_0_con * P' := mu_0*|P_0| + ... + mu_n*|P_n| where P_i is the i-th public key * point x_i*G, mu_i is the i-th musig coefficient and |.| is a function * that normalizes a point to an even Y by negating if necessary similar to - * rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y. Then we have + * rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y. Then we have * P := |P'| + t*G where t is the tweak. * And the combined xonly public key is * |P| = x*G @@ -226,54 +226,54 @@ int rustsecp256k1zkp_v0_5_0_musig_session_init(const rustsecp256k1zkp_v0_5_0_con * b_i = -1 if (P_i != |P_i| XOR P' != |P'| XOR P != |P|) and 1 * otherwise. */ - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&p, &pj); - rustsecp256k1zkp_v0_5_0_fe_normalize(&p.y); - if((rustsecp256k1zkp_v0_5_0_fe_is_odd(&p.y) + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&p, &pj); + rustsecp256k1zkp_v0_6_0_fe_normalize(&p.y); + if((rustsecp256k1zkp_v0_6_0_fe_is_odd(&p.y) + session->pre_session.pk_parity + (session->pre_session.is_tweaked && session->pre_session.internal_key_parity)) % 2 == 1) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&secret, &secret); + rustsecp256k1zkp_v0_6_0_scalar_negate(&secret, &secret); } - rustsecp256k1zkp_v0_5_0_scalar_mul(&secret, &secret, &mu); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(session->seckey, &secret); + rustsecp256k1zkp_v0_6_0_scalar_mul(&secret, &secret, &mu); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(session->seckey, &secret); /* Compute secret nonce */ - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, session_id32, 32); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, session_id32, 32); if (session->is_msg_set) { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, msg32, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, msg32, 32); } - rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, combined_ser, combined_pk); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, combined_ser, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, seckey, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, session->secnonce); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&secret, session->secnonce, &overflow); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, combined_ser, combined_pk); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, combined_ser, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, seckey, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, session->secnonce); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&secret, session->secnonce, &overflow); if (overflow) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&secret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&secret); return 0; } /* Compute public nonce and commitment */ - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&p, &pj); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&p.y); - session->partial_nonce_parity = rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(&p); - rustsecp256k1zkp_v0_5_0_xonly_pubkey_save(&session->nonce, &p); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&p, &pj); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&p.y); + session->partial_nonce_parity = rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(&p); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_save(&session->nonce, &p); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, nonce_ser, nonce_ser_size); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, nonce_commitment32); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, nonce_ser, nonce_ser_size); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, nonce_commitment32); session->round = 0; - rustsecp256k1zkp_v0_5_0_scalar_clear(&secret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&secret); return 1; } -int rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_session *session, rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, unsigned char *nonce, const unsigned char *const *commitments, size_t n_commitments, const unsigned char *msg32) { - rustsecp256k1zkp_v0_5_0_sha256 sha; +int rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_session *session, rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, unsigned char *nonce, const unsigned char *const *commitments, size_t n_commitments, const unsigned char *msg32) { + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char nonce_commitments_hash[32]; size_t i; unsigned char nonce_ser[32]; @@ -302,21 +302,21 @@ int rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(const rustsecp256k1zk memcpy(session->msg, msg32, 32); session->is_msg_set = 1; } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); for (i = 0; i < n_commitments; i++) { memcpy(signers[i].nonce_commitment, commitments[i], 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, commitments[i], 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, commitments[i], 32); } - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, nonce_commitments_hash); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, nonce_commitments_hash); memcpy(session->nonce_commitments_hash, nonce_commitments_hash, 32); - rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce); memcpy(nonce, &nonce_ser, nonce_ser_size); session->round = 1; return 1; } -int rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_session *session, rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, const unsigned char *msg32, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, const rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, const unsigned char *const *commitments, size_t n_signers) { +int rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_session *session, rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, const unsigned char *msg32, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, const rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, const unsigned char *const *commitments, size_t n_signers) { size_t i; VERIFY_CHECK(ctx != NULL); @@ -342,7 +342,7 @@ int rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(const rustsecp256k1zkp_v memcpy(&session->combined_pk, combined_pk, sizeof(*combined_pk)); session->pre_session = *pre_session; session->n_signers = (uint32_t) n_signers; - rustsecp256k1zkp_v0_5_0_musig_signers_init(signers, session->n_signers); + rustsecp256k1zkp_v0_6_0_musig_signers_init(signers, session->n_signers); session->pre_session = *pre_session; session->is_msg_set = 1; @@ -356,34 +356,34 @@ int rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(const rustsecp256k1zkp_v return 1; } -int rustsecp256k1zkp_v0_5_0_musig_set_nonce(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signer, const unsigned char *nonce) { - rustsecp256k1zkp_v0_5_0_sha256 sha; +int rustsecp256k1zkp_v0_6_0_musig_set_nonce(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signer, const unsigned char *nonce) { + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char commit[32]; VERIFY_CHECK(ctx != NULL); ARG_CHECK(signer != NULL); ARG_CHECK(nonce != NULL); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, nonce, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, commit); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, nonce, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, commit); if (memcmp(commit, signer->nonce_commitment, 32) != 0) { return 0; } memcpy(&signer->nonce, nonce, sizeof(*nonce)); - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &signer->nonce, nonce)) { + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &signer->nonce, nonce)) { return 0; } signer->present = 1; return 1; } -int rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_session *session, const rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers, size_t n_signers, int *nonce_parity, const rustsecp256k1zkp_v0_5_0_pubkey *adaptor) { - rustsecp256k1zkp_v0_5_0_gej combined_noncej; - rustsecp256k1zkp_v0_5_0_ge combined_noncep; - rustsecp256k1zkp_v0_5_0_ge noncep; - rustsecp256k1zkp_v0_5_0_sha256 sha; +int rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_session *session, const rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers, size_t n_signers, int *nonce_parity, const rustsecp256k1zkp_v0_6_0_pubkey *adaptor) { + rustsecp256k1zkp_v0_6_0_gej combined_noncej; + rustsecp256k1zkp_v0_6_0_ge combined_noncep; + rustsecp256k1zkp_v0_6_0_ge noncep; + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char nonce_commitments_hash[32]; size_t i; @@ -394,17 +394,17 @@ int rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(const rustsecp256k1zkp_ ARG_CHECK(session->round == 1); ARG_CHECK(n_signers == session->n_signers); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&combined_noncej); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&combined_noncej); for (i = 0; i < n_signers; i++) { if (!signers[i].present) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, signers[i].nonce_commitment, 32); - rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &noncep, &signers[i].nonce); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, signers[i].nonce_commitment, 32); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &noncep, &signers[i].nonce); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL); } - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, nonce_commitments_hash); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, nonce_commitments_hash); /* If the signers' commitments changed between get_public_nonce and now we * have to abort because in that case they may have seen our nonce before * creating their commitment. That can happen if the signer_data given to @@ -417,23 +417,23 @@ int rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(const rustsecp256k1zkp_ /* Add public adaptor to nonce */ if (adaptor != NULL) { - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &noncep, adaptor); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &noncep, adaptor); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL); } /* Negate nonce if Y coordinate is not square */ - rustsecp256k1zkp_v0_5_0_ge_set_gej(&combined_noncep, &combined_noncej); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&combined_noncep.y); - session->combined_nonce_parity = rustsecp256k1zkp_v0_5_0_extrakeys_ge_even_y(&combined_noncep); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&combined_noncep, &combined_noncej); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&combined_noncep.y); + session->combined_nonce_parity = rustsecp256k1zkp_v0_6_0_extrakeys_ge_even_y(&combined_noncep); if (nonce_parity != NULL) { *nonce_parity = session->combined_nonce_parity; } - rustsecp256k1zkp_v0_5_0_xonly_pubkey_save(&session->combined_nonce, &combined_noncep); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_save(&session->combined_nonce, &combined_noncep); session->round = 2; return 1; } -int rustsecp256k1zkp_v0_5_0_musig_partial_signature_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *out32, const rustsecp256k1zkp_v0_5_0_musig_partial_signature* sig) { +int rustsecp256k1zkp_v0_6_0_musig_partial_signature_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *out32, const rustsecp256k1zkp_v0_6_0_musig_partial_signature* sig) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(out32 != NULL); ARG_CHECK(sig != NULL); @@ -441,7 +441,7 @@ int rustsecp256k1zkp_v0_5_0_musig_partial_signature_serialize(const rustsecp256k return 1; } -int rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_partial_signature* sig, const unsigned char *in32) { +int rustsecp256k1zkp_v0_6_0_musig_partial_signature_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_partial_signature* sig, const unsigned char *in32) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(in32 != NULL); @@ -450,29 +450,29 @@ int rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse(const rustsecp256k1zkp } /* Compute msghash = SHA256(combined_nonce, combined_pk, msg) */ -static void rustsecp256k1zkp_v0_5_0_musig_compute_messagehash(const rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *msghash, const rustsecp256k1zkp_v0_5_0_musig_session *session) { +static void rustsecp256k1zkp_v0_6_0_musig_compute_messagehash(const rustsecp256k1zkp_v0_6_0_context *ctx, unsigned char *msghash, const rustsecp256k1zkp_v0_6_0_musig_session *session) { unsigned char buf[32]; - rustsecp256k1zkp_v0_5_0_ge rp; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_ge rp; + rustsecp256k1zkp_v0_6_0_sha256 sha; VERIFY_CHECK(session->round >= 2); - rustsecp256k1zkp_v0_5_0_schnorrsig_sha256_tagged(&sha); - rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &rp, &session->combined_nonce); - rustsecp256k1zkp_v0_5_0_fe_get_b32(buf, &rp.x); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, buf, 32); + rustsecp256k1zkp_v0_6_0_schnorrsig_sha256_tagged(&sha); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &rp, &session->combined_nonce); + rustsecp256k1zkp_v0_6_0_fe_get_b32(buf, &rp.x); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, buf, 32); - rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, buf, &session->combined_pk); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, buf, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, session->msg, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, msghash); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, buf, &session->combined_pk); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, buf, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, session->msg, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, msghash); } -int rustsecp256k1zkp_v0_5_0_musig_partial_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_musig_session *session, rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sig) { +int rustsecp256k1zkp_v0_6_0_musig_partial_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_musig_session *session, rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sig) { unsigned char msghash[32]; int overflow; - rustsecp256k1zkp_v0_5_0_scalar sk; - rustsecp256k1zkp_v0_5_0_scalar e, k; + rustsecp256k1zkp_v0_6_0_scalar sk; + rustsecp256k1zkp_v0_6_0_scalar e, k; VERIFY_CHECK(ctx != NULL); ARG_CHECK(partial_sig != NULL); @@ -482,39 +482,39 @@ int rustsecp256k1zkp_v0_5_0_musig_partial_sign(const rustsecp256k1zkp_v0_5_0_con ARG_CHECK(session->has_secret_data); /* build message hash */ - rustsecp256k1zkp_v0_5_0_musig_compute_messagehash(ctx, msghash, session); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&e, msghash, NULL); + rustsecp256k1zkp_v0_6_0_musig_compute_messagehash(ctx, msghash, session); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&e, msghash, NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sk, session->seckey, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sk, session->seckey, &overflow); if (overflow) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&sk); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sk); return 0; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&k, session->secnonce, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&k)) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&sk); - rustsecp256k1zkp_v0_5_0_scalar_clear(&k); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&k, session->secnonce, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&k)) { + rustsecp256k1zkp_v0_6_0_scalar_clear(&sk); + rustsecp256k1zkp_v0_6_0_scalar_clear(&k); return 0; } if (session->partial_nonce_parity != session->combined_nonce_parity) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&k, &k); + rustsecp256k1zkp_v0_6_0_scalar_negate(&k, &k); } /* Sign */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&e, &e, &sk); - rustsecp256k1zkp_v0_5_0_scalar_add(&e, &e, &k); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&partial_sig->data[0], &e); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sk); - rustsecp256k1zkp_v0_5_0_scalar_clear(&k); + rustsecp256k1zkp_v0_6_0_scalar_mul(&e, &e, &sk); + rustsecp256k1zkp_v0_6_0_scalar_add(&e, &e, &k); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&partial_sig->data[0], &e); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sk); + rustsecp256k1zkp_v0_6_0_scalar_clear(&k); return 1; } -int rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_musig_session *session, unsigned char *sig64, const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sigs, size_t n_sigs) { +int rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_musig_session *session, unsigned char *sig64, const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sigs, size_t n_sigs) { size_t i; - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_ge noncep; + rustsecp256k1zkp_v0_6_0_scalar s; + rustsecp256k1zkp_v0_6_0_ge noncep; (void) ctx; VERIFY_CHECK(ctx != NULL); @@ -527,60 +527,60 @@ int rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(const rustsecp256k1zkp_v0_ if (n_sigs != session->n_signers) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_clear(&s); + rustsecp256k1zkp_v0_6_0_scalar_clear(&s); for (i = 0; i < n_sigs; i++) { int overflow; - rustsecp256k1zkp_v0_5_0_scalar term; + rustsecp256k1zkp_v0_6_0_scalar term; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&term, partial_sigs[i].data, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&term, partial_sigs[i].data, &overflow); if (overflow) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_add(&s, &s, &term); + rustsecp256k1zkp_v0_6_0_scalar_add(&s, &s, &term); } /* If there is a tweak then add (or subtract) `msghash` times `tweak` to `s`.*/ if (session->pre_session.is_tweaked) { unsigned char msghash[32]; - rustsecp256k1zkp_v0_5_0_scalar e, scalar_tweak; + rustsecp256k1zkp_v0_6_0_scalar e, scalar_tweak; int overflow = 0; - rustsecp256k1zkp_v0_5_0_musig_compute_messagehash(ctx, msghash, session); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&e, msghash, NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&scalar_tweak, session->pre_session.tweak, &overflow); - if (overflow || !rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_mul(&e, &scalar_tweak)) { - /* This mimics the behavior of rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul regarding + rustsecp256k1zkp_v0_6_0_musig_compute_messagehash(ctx, msghash, session); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&e, msghash, NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&scalar_tweak, session->pre_session.tweak, &overflow); + if (overflow || !rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_mul(&e, &scalar_tweak)) { + /* This mimics the behavior of rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul regarding * overflow and tweak being 0. */ return 0; } if (session->pre_session.pk_parity) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&e, &e); + rustsecp256k1zkp_v0_6_0_scalar_negate(&e, &e); } - rustsecp256k1zkp_v0_5_0_scalar_add(&s, &s, &e); + rustsecp256k1zkp_v0_6_0_scalar_add(&s, &s, &e); } - rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &noncep, &session->combined_nonce); - VERIFY_CHECK(!rustsecp256k1zkp_v0_5_0_fe_is_odd(&noncep.y)); - rustsecp256k1zkp_v0_5_0_fe_normalize(&noncep.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&sig64[0], &noncep.x); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig64[32], &s); + rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &noncep, &session->combined_nonce); + VERIFY_CHECK(!rustsecp256k1zkp_v0_6_0_fe_is_odd(&noncep.y)); + rustsecp256k1zkp_v0_6_0_fe_normalize(&noncep.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&sig64[0], &noncep.x); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig64[32], &s); return 1; } -int rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_musig_session *session, const rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signer, const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sig, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey) { +int rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_musig_session *session, const rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signer, const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sig, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey) { unsigned char msghash[32]; - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_scalar e; - rustsecp256k1zkp_v0_5_0_scalar mu; - rustsecp256k1zkp_v0_5_0_gej pkj; - rustsecp256k1zkp_v0_5_0_gej rj; - rustsecp256k1zkp_v0_5_0_ge pkp; - rustsecp256k1zkp_v0_5_0_ge rp; + rustsecp256k1zkp_v0_6_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar e; + rustsecp256k1zkp_v0_6_0_scalar mu; + rustsecp256k1zkp_v0_6_0_gej pkj; + rustsecp256k1zkp_v0_6_0_gej rj; + rustsecp256k1zkp_v0_6_0_ge pkp; + rustsecp256k1zkp_v0_6_0_ge rp; int overflow; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(session != NULL); ARG_CHECK(signer != NULL); ARG_CHECK(partial_sig != NULL); @@ -589,20 +589,20 @@ int rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(const rustsecp256k1zkp_v0_5 ARG_CHECK(session->round == 2); ARG_CHECK(signer->present); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, partial_sig->data, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, partial_sig->data, &overflow); if (overflow) { return 0; } - rustsecp256k1zkp_v0_5_0_musig_compute_messagehash(ctx, msghash, session); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&e, msghash, NULL); + rustsecp256k1zkp_v0_6_0_musig_compute_messagehash(ctx, msghash, session); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&e, msghash, NULL); /* Multiplying the messagehash by the musig coefficient is equivalent * to multiplying the signer's public key by the coefficient, except * much easier to do. */ - rustsecp256k1zkp_v0_5_0_musig_coefficient(&mu, session->pre_session.pk_hash, signer->index); - rustsecp256k1zkp_v0_5_0_scalar_mul(&e, &e, &mu); + rustsecp256k1zkp_v0_6_0_musig_coefficient(&mu, session->pre_session.pk_hash, signer->index); + rustsecp256k1zkp_v0_6_0_scalar_mul(&e, &e, &mu); - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &rp, &signer->nonce)) { + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &rp, &signer->nonce)) { return 0; } @@ -614,28 +614,28 @@ int rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(const rustsecp256k1zkp_v0_5 if (session->pre_session.pk_parity != (session->pre_session.is_tweaked && session->pre_session.internal_key_parity)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&e, &e); + rustsecp256k1zkp_v0_6_0_scalar_negate(&e, &e); } /* Compute rj = s*G + (-e)*pkj */ - rustsecp256k1zkp_v0_5_0_scalar_negate(&e, &e); - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &pkp, pubkey)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&e, &e); + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &pkp, pubkey)) { return 0; } - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pkj, &pkp); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pkj, &pkp); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s); if (!session->combined_nonce_parity) { - rustsecp256k1zkp_v0_5_0_ge_neg(&rp, &rp); + rustsecp256k1zkp_v0_6_0_ge_neg(&rp, &rp); } - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&rj, &rj, &rp, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&rj, &rj, &rp, NULL); - return rustsecp256k1zkp_v0_5_0_gej_is_infinity(&rj); + return rustsecp256k1zkp_v0_6_0_gej_is_infinity(&rj); } -int rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_musig_partial_signature *adaptor_sig, const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_parity) { - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_scalar t; +int rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_musig_partial_signature *adaptor_sig, const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_parity) { + rustsecp256k1zkp_v0_6_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar t; int overflow; (void) ctx; @@ -644,29 +644,29 @@ int rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(const rustsecp256k1zkp_v0_5_ ARG_CHECK(partial_sig != NULL); ARG_CHECK(sec_adaptor32 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, partial_sig->data, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, partial_sig->data, &overflow); if (overflow) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&t, sec_adaptor32, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&t, sec_adaptor32, &overflow); if (overflow) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&t); + rustsecp256k1zkp_v0_6_0_scalar_clear(&t); return 0; } if (nonce_parity) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&t, &t); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t, &t); } - rustsecp256k1zkp_v0_5_0_scalar_add(&s, &s, &t); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(adaptor_sig->data, &s); - rustsecp256k1zkp_v0_5_0_scalar_clear(&t); + rustsecp256k1zkp_v0_6_0_scalar_add(&s, &s, &t); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(adaptor_sig->data, &s); + rustsecp256k1zkp_v0_6_0_scalar_clear(&t); return 1; } -int rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *sec_adaptor32, const unsigned char *sig64, const rustsecp256k1zkp_v0_5_0_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_parity) { - rustsecp256k1zkp_v0_5_0_scalar t; - rustsecp256k1zkp_v0_5_0_scalar s; +int rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *sec_adaptor32, const unsigned char *sig64, const rustsecp256k1zkp_v0_6_0_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_parity) { + rustsecp256k1zkp_v0_6_0_scalar t; + rustsecp256k1zkp_v0_6_0_scalar s; int overflow; size_t i; @@ -676,26 +676,26 @@ int rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(const rustsecp256k1zkp_ ARG_CHECK(sig64 != NULL); ARG_CHECK(partial_sigs != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&t, &sig64[32], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&t, &sig64[32], &overflow); if (overflow) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_negate(&t, &t); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t, &t); for (i = 0; i < n_partial_sigs; i++) { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, partial_sigs[i].data, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, partial_sigs[i].data, &overflow); if (overflow) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&t); + rustsecp256k1zkp_v0_6_0_scalar_clear(&t); return 0; } - rustsecp256k1zkp_v0_5_0_scalar_add(&t, &t, &s); + rustsecp256k1zkp_v0_6_0_scalar_add(&t, &t, &s); } if (!nonce_parity) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&t, &t); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t, &t); } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(sec_adaptor32, &t); - rustsecp256k1zkp_v0_5_0_scalar_clear(&t); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(sec_adaptor32, &t); + rustsecp256k1zkp_v0_6_0_scalar_clear(&t); return 1; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/musig.md b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/musig.md index 2baafcf4..7e1685ad 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/musig.md +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/musig.md @@ -49,19 +49,19 @@ The following sections describe use of our API, and are mirrored in code in `src It is essential to security that signers use a unique uniformly random nonce for all signing sessions, and that they do not reuse these nonces even in the case that a signing session fails to complete. To that end, all signing state is encapsulated -in the data structure `rustsecp256k1zkp_v0_5_0_musig_session`. The API does not expose any +in the data structure `rustsecp256k1zkp_v0_6_0_musig_session`. The API does not expose any functionality to serialize or deserialize this structure; it is designed to exist only in memory. Users who need to persist this structure must take additional security measures which cannot be enforced by a C API. Some guidance is provided in the documentation -for this data structure in `include/rustsecp256k1zkp_v0_5_0_musig.h`. +for this data structure in `include/rustsecp256k1zkp_v0_6_0_musig.h`. ## Key Generation To use MuSig, users must first compute their combined public key `P`, which is suitable for use on a blockchain or other public key repository. They do this -by calling `rustsecp256k1zkp_v0_5_0_musig_pubkey_combine`. +by calling `rustsecp256k1zkp_v0_6_0_musig_pubkey_combine`. This function takes as input a list of public keys `P_i` in the argument `pubkeys`. It outputs the combined public key `P` in the out-pointer `combined_pk` @@ -74,7 +74,7 @@ signature process, which is also a supported mode) acts as follows. ### Signing Participant -1. The signer starts the session by calling `rustsecp256k1zkp_v0_5_0_musig_session_init`. +1. The signer starts the session by calling `rustsecp256k1zkp_v0_6_0_musig_session_init`. This function outputs - an initialized session state in the out-pointer `session` - an array of initialized signer data in the out-pointer `signers` @@ -82,16 +82,16 @@ signature process, which is also a supported mode) acts as follows. It takes as input - a unique session ID `session_id32` - (optionally) a message to be signed `msg32` - - the combined public key output from `rustsecp256k1zkp_v0_5_0_musig_pubkey_combine` - - the public key hash output from `rustsecp256k1zkp_v0_5_0_musig_pubkey_combine` + - the combined public key output from `rustsecp256k1zkp_v0_6_0_musig_pubkey_combine` + - the public key hash output from `rustsecp256k1zkp_v0_6_0_musig_pubkey_combine` - the signer's index `i` `my_index` - the signer's secret key `seckey` 2. The signer then communicates `H(R_i)` to all other signers, and receives commitments `H(R_j)` from all other signers `j`. These hashes are simply length-32 byte arrays which can be communicated however is communicated. 3. Once all signers nonce commitments have been received, the signer records - these commitments with the function `rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce`. - If the signer did not provide a message to `rustsecp256k1zkp_v0_5_0_musig_session_init`, + these commitments with the function `rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce`. + If the signer did not provide a message to `rustsecp256k1zkp_v0_6_0_musig_session_init`, a message must be provided now. This function updates in place - the session state `session` @@ -100,30 +100,30 @@ signature process, which is also a supported mode) acts as follows. signer's public nonce `R_i` in the out-pointer `nonce`. 4. The signer then communicates `R_i` to all other signers, and receives `R_j` from each signer `j`. On receipt of a nonce `R_j` he calls the function - `rustsecp256k1zkp_v0_5_0_musig_set_nonce` to record this fact. This function checks that + `rustsecp256k1zkp_v0_6_0_musig_set_nonce` to record this fact. This function checks that the received nonce is consistent with the previously-received nonce and will return 0 in this case. The signer must also call this function with his own nonce and his own index `i`. These nonces `R_i` are secp256k1 public keys; they should be serialized using - `rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize` and parsed with `rustsecp256k1zkp_v0_5_0_ec_pubkey_parse`. + `rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize` and parsed with `rustsecp256k1zkp_v0_6_0_ec_pubkey_parse`. 5. Once all nonces have been exchanged in this way, signers are able to compute - their partial signatures. They do so by calling `rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces` + their partial signatures. They do so by calling `rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces` which updates in place - the session state `session` - the array of signer data `signers` It outputs an auxiliary integer `nonce_is_negated` and has an auxiliary input `adaptor`. Both of these may be set to NULL for ordinary signing purposes. 6. The signer computes a partial signature `s_i` using the function - `rustsecp256k1zkp_v0_5_0_musig_partial_sign` which takes the session state as input and + `rustsecp256k1zkp_v0_6_0_musig_partial_sign` which takes the session state as input and partial signature as output. 7. The signer then communicates the partial signature `s_i` to all other signers, or to a central coordinator. These partial signatures should be serialized using `musig_partial_signature_serialize` and parsed using `musig_partial_signature_parse`. -8. Each signer calls `rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify` on the other signers' partial +8. Each signer calls `rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify` on the other signers' partial signatures to verify their correctness. If only the validity of the final signature is important, not assigning blame, this step can be skipped. 9. Any signer, or central coordinator, may combine the partial signatures to obtain - a complete signature using `rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine`. This function takes + a complete signature using `rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine`. This function takes a signing session and array of MuSig partial signatures, and outputs a single Schnorr signature. @@ -137,14 +137,14 @@ may do so using the above instructions except for the following changes: rather than `musig_session_init`; this function takes no secret data or signer index. 2. The participant receives nonce commitments, public nonces and partial signatures, - but does not produce these values. Therefore `rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce` - and `rustsecp256k1zkp_v0_5_0_musig_partial_sign` are not called. + but does not produce these values. Therefore `rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce` + and `rustsecp256k1zkp_v0_6_0_musig_partial_sign` are not called. ### Verifier The final signature is simply a valid Schnorr signature using the combined public key. It -can be verified using the `rustsecp256k1zkp_v0_5_0_schnorrsig_verify` with the correct message and -public key output from `rustsecp256k1zkp_v0_5_0_musig_pubkey_combine`. +can be verified using the `rustsecp256k1zkp_v0_6_0_schnorrsig_verify` with the correct message and +public key output from `rustsecp256k1zkp_v0_6_0_musig_pubkey_combine`. ## Atomic Swaps @@ -167,11 +167,11 @@ are simultaneously producing 2-of-2 multisignatures for two blockchains A and B. as follows. 1. Before the protocol begins, Bob chooses a 32-byte auxiliary secret `t` at random and - computes a corresponding public point `T` by calling `rustsecp256k1zkp_v0_5_0_ec_pubkey_create`. + computes a corresponding public point `T` by calling `rustsecp256k1zkp_v0_6_0_ec_pubkey_create`. He communicates `T` to Alice. 2. Together, the parties execute steps 1-4 of the signing protocol above. 3. At step 5, when combining the two parties' public nonces, both parties call - `rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces` with `adaptor` set to `T` and `nonce_is_negated` + `rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces` with `adaptor` set to `T` and `nonce_is_negated` set to a non-NULL pointer to int. 4. Steps 6 and 7 proceed as before. Step 8, verifying the partial signatures, is now essential to the security of the protocol and must not be omitted! @@ -182,15 +182,15 @@ Additional steps must be taken, and it is at this point that the two signing ses diverge. From here on we consider "Session A" which benefits Alice (e.g. which sends her coins) and "Session B" which benefits Bob (e.g. which sends him coins). -5. In Session B, Bob calls `rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt` with his partial signature - and `t`, to produce an adaptor signature. He can then call `rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine` +5. In Session B, Bob calls `rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt` with his partial signature + and `t`, to produce an adaptor signature. He can then call `rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine` with this adaptor signature and Alice's partial signature, to produce a complete signature for blockchain B. -6. Alice reads this signature from blockchain B. She calls `rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor`, +6. Alice reads this signature from blockchain B. She calls `rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor`, passing the complete signature along with her and Bob's partial signatures from Session B. This function outputs `t`, which until this point was only known to Bob. 7. In Session A, Alice is now able to replicate Bob's action, calling - `rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt` with her own partial signature and `t`, ultimately + `rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt` with her own partial signature and `t`, ultimately producing a complete signature on blockchain A. [1] https://eprint.iacr.org/2018/068 diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/tests_impl.h index b557a2e1..bc08e7e8 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/musig/tests_impl.h @@ -9,80 +9,80 @@ #include "secp256k1_musig.h" -int rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(rustsecp256k1zkp_v0_5_0_xonly_pubkey *pk, const unsigned char *seckey) { +int rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(rustsecp256k1zkp_v0_6_0_xonly_pubkey *pk, const unsigned char *seckey) { int ret; - rustsecp256k1zkp_v0_5_0_keypair keypair; - ret = rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, seckey); - ret &= rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, pk, NULL, &keypair); + rustsecp256k1zkp_v0_6_0_keypair keypair; + ret = rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, seckey); + ret &= rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, pk, NULL, &keypair); return ret; } /* Just a simple (non-adaptor, non-tweaked) 2-of-2 MuSig combine, sign, verify * test. */ -void musig_simple_test(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { +void musig_simple_test(rustsecp256k1zkp_v0_6_0_scratch_space *scratch) { unsigned char sk[2][32]; - rustsecp256k1zkp_v0_5_0_musig_session session[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signer0[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signer1[2]; + rustsecp256k1zkp_v0_6_0_musig_session session[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signer0[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signer1[2]; unsigned char nonce_commitment[2][32]; unsigned char msg[32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session; unsigned char session_id[2][32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk[2]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk[2]; const unsigned char *ncs[2]; unsigned char public_nonce[3][32]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig[2]; unsigned char final_sig[64]; - rustsecp256k1zkp_v0_5_0_testrand256(session_id[0]); - rustsecp256k1zkp_v0_5_0_testrand256(session_id[1]); - rustsecp256k1zkp_v0_5_0_testrand256(sk[0]); - rustsecp256k1zkp_v0_5_0_testrand256(sk[1]); - rustsecp256k1zkp_v0_5_0_testrand256(msg); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[0]); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[1]); + rustsecp256k1zkp_v0_6_0_testrand256(sk[0]); + rustsecp256k1zkp_v0_6_0_testrand256(sk[1]); + rustsecp256k1zkp_v0_6_0_testrand256(msg); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, scratch, &combined_pk, &pre_session, pk, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, scratch, &combined_pk, &pre_session, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session[0], signer0, public_nonce[0], ncs, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session[1], signer1, public_nonce[1], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session[0], signer0, public_nonce[0], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session[1], signer1, public_nonce[1], ncs, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signer0[0], public_nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signer0[1], public_nonce[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signer1[0], public_nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signer1[1], public_nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signer0[0], public_nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signer0[1], public_nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signer1[0], public_nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signer1[1], public_nonce[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session[0], signer0, 2, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session[1], signer1, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session[0], signer0, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session[1], signer1, 2, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[0], &signer0[1], &partial_sig[1], &pk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[1], &signer1[1], &partial_sig[1], &pk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[0], &signer0[1], &partial_sig[1], &pk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[1], &signer1[1], &partial_sig[1], &pk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(ctx, &session[0], final_sig, partial_sig, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, final_sig, msg, &combined_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(ctx, &session[0], final_sig, partial_sig, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, final_sig, msg, &combined_pk) == 1); } -void musig_api_tests(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { - rustsecp256k1zkp_v0_5_0_scratch_space *scratch_small; - rustsecp256k1zkp_v0_5_0_musig_session session[2]; - rustsecp256k1zkp_v0_5_0_musig_session session_uninitialized; - rustsecp256k1zkp_v0_5_0_musig_session verifier_session; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signer0[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signer1[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data verifier_signer_data[2]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig[2]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig_adapted[2]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig_overflow; +void musig_api_tests(rustsecp256k1zkp_v0_6_0_scratch_space *scratch) { + rustsecp256k1zkp_v0_6_0_scratch_space *scratch_small; + rustsecp256k1zkp_v0_6_0_musig_session session[2]; + rustsecp256k1zkp_v0_6_0_musig_session session_uninitialized; + rustsecp256k1zkp_v0_6_0_musig_session verifier_session; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signer0[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signer1[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data verifier_signer_data[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig_adapted[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig_overflow; unsigned char final_sig[64]; unsigned char final_sig_cmp[64]; @@ -94,28 +94,28 @@ void musig_api_tests(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { int combined_nonce_parity; const unsigned char *ncs[2]; unsigned char msg[32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session_uninitialized; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk[2]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session_uninitialized; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk[2]; unsigned char tweak[32]; unsigned char sec_adaptor[32]; unsigned char sec_adaptor1[32]; - rustsecp256k1zkp_v0_5_0_pubkey adaptor; + rustsecp256k1zkp_v0_6_0_pubkey adaptor; /** setup **/ - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); int ecount; - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); memset(ones, 0xff, 32); /* Simulate structs being uninitialized by setting it to 0s. We don't want @@ -124,168 +124,168 @@ void musig_api_tests(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { memset(&pre_session_uninitialized, 0, sizeof(pre_session_uninitialized)); memset(&session_uninitialized, 0, sizeof(session_uninitialized)); - rustsecp256k1zkp_v0_5_0_testrand256(session_id[0]); - rustsecp256k1zkp_v0_5_0_testrand256(session_id[1]); - rustsecp256k1zkp_v0_5_0_testrand256(sk[0]); - rustsecp256k1zkp_v0_5_0_testrand256(sk[1]); - rustsecp256k1zkp_v0_5_0_testrand256(msg); - rustsecp256k1zkp_v0_5_0_testrand256(sec_adaptor); - rustsecp256k1zkp_v0_5_0_testrand256(tweak); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[0]); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[1]); + rustsecp256k1zkp_v0_6_0_testrand256(sk[0]); + rustsecp256k1zkp_v0_6_0_testrand256(sk[1]); + rustsecp256k1zkp_v0_6_0_testrand256(msg); + rustsecp256k1zkp_v0_6_0_testrand256(sec_adaptor); + rustsecp256k1zkp_v0_6_0_testrand256(tweak); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &adaptor, sec_adaptor) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &adaptor, sec_adaptor) == 1); /** main test body **/ /* Key combination */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(none, scratch, &combined_pk, &pre_session, pk, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(none, scratch, &combined_pk, &pre_session, pk, 2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(sign, scratch, &combined_pk, &pre_session, pk, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(sign, scratch, &combined_pk, &pre_session, pk, 2) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); CHECK(ecount == 2); /* pubkey_combine does not require a scratch space */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, NULL, &combined_pk, &pre_session, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, NULL, &combined_pk, &pre_session, pk, 2) == 1); CHECK(ecount == 2); /* A small scratch space works too, but will result in using an ineffecient algorithm */ - scratch_small = rustsecp256k1zkp_v0_5_0_scratch_space_create(ctx, 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch_small, &combined_pk, &pre_session, pk, 2) == 1); - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(ctx, scratch_small); + scratch_small = rustsecp256k1zkp_v0_6_0_scratch_space_create(ctx, 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch_small, &combined_pk, &pre_session, pk, 2) == 1); + rustsecp256k1zkp_v0_6_0_scratch_space_destroy(ctx, scratch_small); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, NULL, &pre_session, pk, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, NULL, &pre_session, pk, 2) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, NULL, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, NULL, pk, 2) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, NULL, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, NULL, 2) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 0) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, NULL, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, NULL, 0) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(vrfy, scratch, &combined_pk, &pre_session, pk, 2) == 1); /** Tweaking */ ecount = 0; { - rustsecp256k1zkp_v0_5_0_xonly_pubkey tmp_internal_pk = combined_pk; - rustsecp256k1zkp_v0_5_0_pubkey tmp_output_pk; - rustsecp256k1zkp_v0_5_0_musig_pre_session tmp_pre_session = pre_session; - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(ctx, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 1); + rustsecp256k1zkp_v0_6_0_xonly_pubkey tmp_internal_pk = combined_pk; + rustsecp256k1zkp_v0_6_0_pubkey tmp_output_pk; + rustsecp256k1zkp_v0_6_0_musig_pre_session tmp_pre_session = pre_session; + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(ctx, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 1); /* Reset pre_session */ tmp_pre_session = pre_session; - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(none, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(none, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(sign, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(sign, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 1); CHECK(ecount == 2); tmp_pre_session = pre_session; - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, NULL, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, NULL, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); CHECK(ecount == 3); /* Uninitialized pre_session */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &pre_session_uninitialized, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &pre_session_uninitialized, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); CHECK(ecount == 4); /* Using the same pre_session twice does not work */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, tweak) == 0); CHECK(ecount == 5); tmp_pre_session = pre_session; - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, NULL, &tmp_internal_pk, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, NULL, &tmp_internal_pk, tweak) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, NULL, tweak) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, NULL, tweak) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, NULL) == 0); CHECK(ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, ones) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(vrfy, &tmp_pre_session, &tmp_output_pk, &tmp_internal_pk, ones) == 0); CHECK(ecount == 8); } /** Session creation **/ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(none, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(none, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(vrfy, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(vrfy, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, NULL, signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, NULL, signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], NULL, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], NULL, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, NULL, session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, NULL, session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], NULL, msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], NULL, msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], NULL, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], NULL, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, NULL, &pre_session, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, NULL, &pre_session, 2, 0, sk[0]) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, NULL, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, NULL, 2, 0, sk[0]) == 0); CHECK(ecount == 8); /* Uninitialized pre_session */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session_uninitialized, 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session_uninitialized, 2, 0, sk[0]) == 0); CHECK(ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 0, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 0, 0, sk[0]) == 0); CHECK(ecount == 10); /* If more than UINT32_MAX fits in a size_t, test that session_init * rejects n_signers that high. */ if (SIZE_MAX > UINT32_MAX) { - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, ((size_t) UINT32_MAX) + 2, 0, sk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, ((size_t) UINT32_MAX) + 2, 0, sk[0]) == 0); CHECK(ecount == 11); } else { ecount = 11; } - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, NULL) == 0); CHECK(ecount == 12); /* secret key overflows */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, ones) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, ones) == 0); CHECK(ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(sign, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[0], signer0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(sign, &session[1], signer1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, NULL, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, NULL, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, NULL, &combined_pk, &pre_session, ncs, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, NULL, &combined_pk, &pre_session, ncs, 2) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, NULL, &pre_session, ncs, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, NULL, &pre_session, ncs, 2) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, NULL, ncs, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, NULL, ncs, 2) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, NULL, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, NULL, 2) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 0) == 0); CHECK(ecount == 6); if (SIZE_MAX > UINT32_MAX) { - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, ((size_t) UINT32_MAX) + 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, ((size_t) UINT32_MAX) + 2) == 0); CHECK(ecount == 7); } else { ecount = 7; } - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init_verifier(none, &verifier_session, verifier_signer_data, msg, &combined_pk, &pre_session, ncs, 2) == 1); /** Signing step 0 -- exchange nonce commitments */ ecount = 0; { unsigned char nonce[32]; - rustsecp256k1zkp_v0_5_0_musig_session session_0_tmp; + rustsecp256k1zkp_v0_6_0_musig_session session_0_tmp; memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); /* Can obtain public nonce after commitments have been exchanged; still can't sign */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, nonce, ncs, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, &session_0_tmp, &partial_sig[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, nonce, ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, &session_0_tmp, &partial_sig[0]) == 0); CHECK(ecount == 1); } @@ -293,213 +293,213 @@ void musig_api_tests(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { ecount = 0; { unsigned char public_nonce[3][32]; - rustsecp256k1zkp_v0_5_0_musig_session session_0_tmp; + rustsecp256k1zkp_v0_6_0_musig_session session_0_tmp; memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], ncs, 2, NULL) == 1); CHECK(ecount == 0); /* Reset session */ memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, NULL, signer0, public_nonce[0], ncs, 2, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, NULL, signer0, public_nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 1); /* uninitialized session */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session_uninitialized, signer0, public_nonce[0], ncs, 2, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session_uninitialized, signer0, public_nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session_0_tmp, NULL, public_nonce[0], ncs, 2, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session_0_tmp, NULL, public_nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, NULL, ncs, 2, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, NULL, ncs, 2, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], NULL, 2, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], NULL, 2, NULL) == 0); CHECK(ecount == 5); /* Number of commitments and number of signers are different */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], ncs, 1, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session_0_tmp, signer0, public_nonce[0], ncs, 1, NULL) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session[0], signer0, public_nonce[0], ncs, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(none, &session[1], signer1, public_nonce[1], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session[0], signer0, public_nonce[0], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(none, &session[1], signer1, public_nonce[1], ncs, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &signer0[0], public_nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &signer0[1], public_nonce[0]) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &signer0[1], public_nonce[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &signer0[1], public_nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &signer0[0], public_nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &signer0[1], public_nonce[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &signer0[1], public_nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &signer0[1], public_nonce[1]) == 1); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, NULL, public_nonce[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, NULL, public_nonce[0]) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &signer1[0], NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &signer1[0], NULL) == 0); CHECK(ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &signer1[0], public_nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &signer1[1], public_nonce[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &verifier_signer_data[0], public_nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(none, &verifier_signer_data[1], public_nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &signer1[0], public_nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &signer1[1], public_nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &verifier_signer_data[0], public_nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(none, &verifier_signer_data[1], public_nonce[1]) == 1); ecount = 0; memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &combined_nonce_parity, &adaptor) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &combined_nonce_parity, &adaptor) == 1); memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, NULL, signer0, 2, &combined_nonce_parity, &adaptor) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, NULL, signer0, 2, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 1); /* Uninitialized session */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session_uninitialized, signer0, 2, &combined_nonce_parity, &adaptor) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session_uninitialized, signer0, 2, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session_0_tmp, NULL, 2, &combined_nonce_parity, &adaptor) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session_0_tmp, NULL, 2, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 3); /* Number of signers differs from number during intialization */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 1, &combined_nonce_parity, &adaptor) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 1, &combined_nonce_parity, &adaptor) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, NULL, &adaptor) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, NULL, &adaptor) == 1); CHECK(ecount == 4); memcpy(&session_0_tmp, &session[0], sizeof(session_0_tmp)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &combined_nonce_parity, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session_0_tmp, signer0, 2, &combined_nonce_parity, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session[0], signer0, 2, &combined_nonce_parity, &adaptor) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &session[1], signer0, 2, &combined_nonce_parity, &adaptor) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(none, &verifier_session, verifier_signer_data, 2, &combined_nonce_parity, &adaptor) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session[0], signer0, 2, &combined_nonce_parity, &adaptor) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &session[1], signer0, 2, &combined_nonce_parity, &adaptor) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(none, &verifier_session, verifier_signer_data, 2, &combined_nonce_parity, &adaptor) == 1); } /** Signing step 2 -- partial signatures */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, &session[0], &partial_sig[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, &session[0], &partial_sig[0]) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, NULL, &partial_sig[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, NULL, &partial_sig[0]) == 0); CHECK(ecount == 1); /* Uninitialized session */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, &session_uninitialized, &partial_sig[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, &session_uninitialized, &partial_sig[0]) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, &session[0], NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, &session[0], NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, &session[0], &partial_sig[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, &session[1], &partial_sig[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, &session[0], &partial_sig[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, &session[1], &partial_sig[1]) == 1); /* observer can't sign */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(none, &verifier_session, &partial_sig[2]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(none, &verifier_session, &partial_sig[2]) == 0); CHECK(ecount == 4); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_signature_serialize(none, buf, &partial_sig[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_signature_serialize(none, NULL, &partial_sig[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_signature_serialize(none, buf, &partial_sig[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_signature_serialize(none, NULL, &partial_sig[0]) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_signature_serialize(none, buf, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_signature_serialize(none, buf, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse(none, &partial_sig[0], buf) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse(none, NULL, buf) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_signature_parse(none, &partial_sig[0], buf) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_signature_parse(none, NULL, buf) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse(none, &partial_sig[0], NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_signature_parse(none, &partial_sig[0], NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_signature_parse(none, &partial_sig_overflow, ones) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_signature_parse(none, &partial_sig_overflow, ones) == 1); /** Partial signature verification */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(none, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(none, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(sign, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(sign, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[1], &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[1], &pk[0]) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, NULL, &signer0[0], &partial_sig[0], &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, NULL, &signer0[0], &partial_sig[0], &pk[0]) == 0); CHECK(ecount == 3); /* Unitialized session */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session_uninitialized, &signer0[0], &partial_sig[0], &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session_uninitialized, &signer0[0], &partial_sig[0], &pk[0]) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], NULL, &partial_sig[0], &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], NULL, &partial_sig[0], &pk[0]) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], NULL, &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], NULL, &pk[0]) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig_overflow, &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig_overflow, &pk[0]) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], NULL) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[1], &signer1[0], &partial_sig[0], &pk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[1], &partial_sig[1], &pk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &session[1], &signer1[1], &partial_sig[1], &pk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &verifier_session, &verifier_signer_data[0], &partial_sig[0], &pk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(vrfy, &verifier_session, &verifier_signer_data[1], &partial_sig[1], &pk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[0], &partial_sig[0], &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[1], &signer1[0], &partial_sig[0], &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[0], &signer0[1], &partial_sig[1], &pk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &session[1], &signer1[1], &partial_sig[1], &pk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &verifier_session, &verifier_signer_data[0], &partial_sig[0], &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(vrfy, &verifier_session, &verifier_signer_data[1], &partial_sig[1], &pk[1]) == 1); CHECK(ecount == 7); /** Adaptor signature verification */ memcpy(&partial_sig_adapted[1], &partial_sig[1], sizeof(partial_sig_adapted[1])); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], sec_adaptor, combined_nonce_parity) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(none, NULL, &partial_sig[0], sec_adaptor, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], sec_adaptor, combined_nonce_parity) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(none, NULL, &partial_sig[0], sec_adaptor, 0) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], NULL, sec_adaptor, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], NULL, sec_adaptor, 0) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig_overflow, sec_adaptor, combined_nonce_parity) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig_overflow, sec_adaptor, combined_nonce_parity) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], NULL, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], NULL, 0) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], ones, combined_nonce_parity) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(none, &partial_sig_adapted[0], &partial_sig[0], ones, combined_nonce_parity) == 0); CHECK(ecount == 3); /** Signing combining and verification */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_adapted, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], final_sig_cmp, partial_sig_adapted, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_adapted, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], final_sig_cmp, partial_sig_adapted, 2) == 1); CHECK(memcmp(final_sig, final_sig_cmp, sizeof(final_sig)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], final_sig_cmp, partial_sig_adapted, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], final_sig_cmp, partial_sig_adapted, 2) == 1); CHECK(memcmp(final_sig, final_sig_cmp, sizeof(final_sig)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, NULL, final_sig, partial_sig_adapted, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, NULL, final_sig, partial_sig_adapted, 2) == 0); CHECK(ecount == 1); /* Unitialized session */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session_uninitialized, final_sig, partial_sig_adapted, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session_uninitialized, final_sig, partial_sig_adapted, 2) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], NULL, partial_sig_adapted, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], NULL, partial_sig_adapted, 2) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], final_sig, NULL, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], final_sig, NULL, 2) == 0); CHECK(ecount == 4); { - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig_tmp[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig_tmp[2]; partial_sig_tmp[0] = partial_sig_adapted[0]; partial_sig_tmp[1] = partial_sig_overflow; - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_tmp, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_tmp, 2) == 0); } CHECK(ecount == 4); /* Wrong number of partial sigs */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_adapted, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_adapted, 1) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_adapted, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(none, &session[0], final_sig, partial_sig_adapted, 2) == 1); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(vrfy, final_sig, msg, &combined_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(vrfy, final_sig, msg, &combined_pk) == 1); /** Secret adaptor can be extracted from signature */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 2, combined_nonce_parity) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 2, combined_nonce_parity) == 1); CHECK(memcmp(sec_adaptor, sec_adaptor1, 32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, NULL, final_sig, partial_sig, 2, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, NULL, final_sig, partial_sig, 2, 0) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, sec_adaptor1, NULL, partial_sig, 2, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, sec_adaptor1, NULL, partial_sig, 2, 0) == 0); CHECK(ecount == 2); { unsigned char final_sig_tmp[64]; memcpy(final_sig_tmp, final_sig, sizeof(final_sig_tmp)); memcpy(&final_sig_tmp[32], ones, 32); - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig_tmp, partial_sig, 2, combined_nonce_parity) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig_tmp, partial_sig, 2, combined_nonce_parity) == 0); } CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, NULL, 2, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, NULL, 2, 0) == 0); CHECK(ecount == 3); { - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig_tmp[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig_tmp[2]; partial_sig_tmp[0] = partial_sig[0]; partial_sig_tmp[1] = partial_sig_overflow; - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig_tmp, 2, combined_nonce_parity) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig_tmp, 2, combined_nonce_parity) == 0); } CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 0, 0) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 2, 1) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 0, 0) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(none, sec_adaptor1, final_sig, partial_sig, 2, 1) == 1); /** cleanup **/ memset(&session, 0, sizeof(session)); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); } /* Initializes two sessions, one use the given parameters (session_id, @@ -509,36 +509,36 @@ void musig_api_tests(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { * ones and return the resulting messagehash. This should not result in a different * messagehash because the public keys of the signers are only used during session * initialization. */ -void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, rustsecp256k1zkp_v0_5_0_xonly_pubkey *pks, rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, const unsigned char * const *nonce_commitments, unsigned char *msg, unsigned char *nonce_other, unsigned char *sk, unsigned char *session_id) { - rustsecp256k1zkp_v0_5_0_musig_session session; - rustsecp256k1zkp_v0_5_0_musig_session session_tmp; +void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, rustsecp256k1zkp_v0_6_0_xonly_pubkey *pks, rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, const unsigned char * const *nonce_commitments, unsigned char *msg, unsigned char *nonce_other, unsigned char *sk, unsigned char *session_id) { + rustsecp256k1zkp_v0_6_0_musig_session session; + rustsecp256k1zkp_v0_6_0_musig_session session_tmp; unsigned char nonce_commitment[32]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers_tmp[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers_tmp[2]; unsigned char sk_dummy[32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pks_tmp[2]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk_tmp; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session_tmp; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pks_tmp[2]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk_tmp; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session_tmp; unsigned char nonce[32]; /* Set up signers with different public keys */ - rustsecp256k1zkp_v0_5_0_testrand256(sk_dummy); + rustsecp256k1zkp_v0_6_0_testrand256(sk_dummy); pks_tmp[0] = pks[0]; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pks_tmp[1], sk_dummy) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, NULL, &combined_pk_tmp, &pre_session_tmp, pks_tmp, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session_tmp, signers_tmp, nonce_commitment, session_id, msg, &combined_pk_tmp, &pre_session_tmp, 2, 1, sk_dummy) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pks_tmp[1], sk_dummy) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, NULL, &combined_pk_tmp, &pre_session_tmp, pks_tmp, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session_tmp, signers_tmp, nonce_commitment, session_id, msg, &combined_pk_tmp, &pre_session_tmp, 2, 1, sk_dummy) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 0, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 0, sk) == 1); CHECK(memcmp(nonce_commitment, nonce_commitments[1], 32) == 0); /* Call get_public_nonce with different signers than the signers the session was * initialized with. */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session_tmp, signers, nonce, nonce_commitments, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session, signers_tmp, nonce, nonce_commitments, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session_tmp, signers, nonce, nonce_commitments, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session, signers_tmp, nonce, nonce_commitments, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); - rustsecp256k1zkp_v0_5_0_musig_compute_messagehash(ctx, msghash, &session); + rustsecp256k1zkp_v0_6_0_musig_compute_messagehash(ctx, msghash, &session); } /* Creates a new session (with a different session id) and tries to use that session @@ -546,203 +546,203 @@ void musig_state_machine_diff_signer_msghash_test(unsigned char *msghash, rustse * commitments of signers_other do not match the nonce commitments the new session * was initialized with. If do_test is 0, the correct signers are being used and * therefore the function should return 1. */ -int musig_state_machine_diff_signers_combine_nonce_test(rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, unsigned char *nonce_other, unsigned char *msg, unsigned char *sk, rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers_other, int do_test) { - rustsecp256k1zkp_v0_5_0_musig_session session; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data *signers_to_use; +int musig_state_machine_diff_signers_combine_nonce_test(rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, unsigned char *nonce_other, unsigned char *msg, unsigned char *sk, rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers_other, int do_test) { + rustsecp256k1zkp_v0_6_0_musig_session session; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data *signers_to_use; unsigned char nonce_commitment[32]; unsigned char session_id[32]; unsigned char nonce[32]; const unsigned char *ncs[2]; /* Initialize new signers */ - rustsecp256k1zkp_v0_5_0_testrand256(session_id); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 1, sk) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(session_id); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, msg, combined_pk, pre_session, 2, 1, sk) == 1); ncs[0] = nonce_commitment_other; ncs[1] = nonce_commitment; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session, signers, nonce, ncs, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); - rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session, signers_other, 2, NULL, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session, signers, nonce, ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); + rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session, signers_other, 2, NULL, NULL); if (do_test) { signers_to_use = signers_other; } else { signers_to_use = signers; } - return rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session, signers_to_use, 2, NULL, NULL); + return rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session, signers_to_use, 2, NULL, NULL); } /* Initializaes a session with the given session_id, signers, pk, msg etc. * parameters but without a message. Will test that the message must be * provided with `get_public_nonce`. */ -void musig_state_machine_late_msg_test(rustsecp256k1zkp_v0_5_0_xonly_pubkey *pks, rustsecp256k1zkp_v0_5_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, unsigned char *nonce_other, unsigned char *sk, unsigned char *session_id, unsigned char *msg) { +void musig_state_machine_late_msg_test(rustsecp256k1zkp_v0_6_0_xonly_pubkey *pks, rustsecp256k1zkp_v0_6_0_xonly_pubkey *combined_pk, rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session, unsigned char *nonce_commitment_other, unsigned char *nonce_other, unsigned char *sk, unsigned char *session_id, unsigned char *msg) { /* Create context for testing ARG_CHECKs by setting an illegal_callback. */ - rustsecp256k1zkp_v0_5_0_context *ctx_tmp = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *ctx_tmp = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); int ecount = 0; - rustsecp256k1zkp_v0_5_0_musig_session session; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers[2]; + rustsecp256k1zkp_v0_6_0_musig_session session; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers[2]; unsigned char nonce_commitment[32]; const unsigned char *ncs[2]; unsigned char nonce[32]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, NULL, combined_pk, pre_session, 2, 1, sk) == 1); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session, signers, nonce_commitment, session_id, NULL, combined_pk, pre_session, 2, 1, sk) == 1); ncs[0] = nonce_commitment_other; ncs[1] = nonce_commitment; /* Trying to get the nonce without providing a message fails. */ CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx_tmp, &session, signers, nonce, ncs, 2, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx_tmp, &session, signers, nonce, ncs, 2, NULL) == 0); CHECK(ecount == 1); /* Providing a message should make get_public_nonce succeed. */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session, signers, nonce, ncs, 2, msg) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session, signers, nonce, ncs, 2, msg) == 1); /* Trying to set the message again fails. */ CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx_tmp, &session, signers, nonce, ncs, 2, msg) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx_tmp, &session, signers, nonce, ncs, 2, msg) == 0); CHECK(ecount == 2); /* Check that it's working */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &session, &partial_sig)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session, &signers[1], &partial_sig, &pks[1])); - rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers[0], nonce_other) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers[1], nonce) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session, signers, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &session, &partial_sig)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session, &signers[1], &partial_sig, &pks[1])); + rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); } -void musig_state_machine_tests(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { - rustsecp256k1zkp_v0_5_0_context *ctx_tmp = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_VERIFY); +void musig_state_machine_tests(rustsecp256k1zkp_v0_6_0_scratch_space *scratch) { + rustsecp256k1zkp_v0_6_0_context *ctx_tmp = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_VERIFY); size_t i; - rustsecp256k1zkp_v0_5_0_musig_session session[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers0[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers1[2]; + rustsecp256k1zkp_v0_6_0_musig_session session[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers0[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers1[2]; unsigned char nonce_commitment[2][32]; unsigned char session_id[2][32]; unsigned char msg[32]; unsigned char sk[2][32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk[2]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk[2]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session; unsigned char nonce[2][32]; const unsigned char *ncs[2]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig[2]; unsigned char sig[64]; unsigned char msghash1[32]; unsigned char msghash2[32]; int ecount; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx_tmp, counting_illegal_callback_fn, &ecount); ecount = 0; /* Run state machine with the same objects twice to test that it's allowed to * reinitialize session and session_signer_data. */ for (i = 0; i < 2; i++) { /* Setup */ - rustsecp256k1zkp_v0_5_0_testrand256(session_id[0]); - rustsecp256k1zkp_v0_5_0_testrand256(session_id[1]); - rustsecp256k1zkp_v0_5_0_testrand256(sk[0]); - rustsecp256k1zkp_v0_5_0_testrand256(sk[1]); - rustsecp256k1zkp_v0_5_0_testrand256(msg); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, scratch, &combined_pk, &pre_session, pk, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session[0], signers0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session[1], signers1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[0]); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[1]); + rustsecp256k1zkp_v0_6_0_testrand256(sk[0]); + rustsecp256k1zkp_v0_6_0_testrand256(sk[1]); + rustsecp256k1zkp_v0_6_0_testrand256(msg); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, scratch, &combined_pk, &pre_session, pk, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session[0], signers0, nonce_commitment[0], session_id[0], msg, &combined_pk, &pre_session, 2, 0, sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session[1], signers1, nonce_commitment[1], session_id[1], msg, &combined_pk, &pre_session, 2, 1, sk[1]) == 1); /* Can't combine nonces unless we're through round 1 already */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx_tmp, &session[0], signers0, 2, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx_tmp, &session[0], signers0, 2, NULL, NULL) == 0); CHECK(ecount == 1); /* Set nonce commitments */ ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session[0], signers0, nonce[0], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session[0], signers0, nonce[0], ncs, 2, NULL) == 1); /* Calling the function again is not okay */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx_tmp, &session[0], signers0, nonce[0], ncs, 2, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx_tmp, &session[0], signers0, nonce[0], ncs, 2, NULL) == 0); CHECK(ecount == 1); /* Get nonce for signer 1 */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session[1], signers1, nonce[1], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session[1], signers1, nonce[1], ncs, 2, NULL) == 1); /* Set nonces */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers0[0], nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers0[0], nonce[0]) == 1); /* Can't set nonce that doesn't match nonce commitment */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers0[1], nonce[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers0[1], nonce[0]) == 0); /* Set correct nonce */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers0[1], nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers0[1], nonce[1]) == 1); /* Combine nonces */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session[0], signers0, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session[0], signers0, 2, NULL, NULL) == 1); /* Not everyone is present from signer 1's view */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 0); /* Make everyone present */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers1[0], nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers1[1], nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers1[0], nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers1[1], nonce[1]) == 1); /* Can't combine nonces from signers of a different session */ CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, &pre_session, nonce_commitment[0], nonce[0], msg, sk[1], signers1, 1) == 0); CHECK(musig_state_machine_diff_signers_combine_nonce_test(&combined_pk, &pre_session, nonce_commitment[0], nonce[0], msg, sk[1], signers1, 0) == 1); /* Partially sign */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); /* Can't verify, sign or combine signatures until nonce is combined */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx_tmp, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx_tmp, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx_tmp, &session[1], &partial_sig[1]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx_tmp, &session[1], &partial_sig[1]) == 0); CHECK(ecount == 2); memset(&partial_sig[1], 0, sizeof(partial_sig[1])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(ctx_tmp, &session[1], sig, partial_sig, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(ctx_tmp, &session[1], sig, partial_sig, 2) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 1); /* messagehash should be the same as a session whose get_public_nonce was called * with different signers (i.e. they diff in public keys). This is because the * public keys of the signers is set in stone when initializing the session. */ - rustsecp256k1zkp_v0_5_0_musig_compute_messagehash(ctx, msghash1, &session[1]); + rustsecp256k1zkp_v0_6_0_musig_compute_messagehash(ctx, msghash1, &session[1]); musig_state_machine_diff_signer_msghash_test(msghash2, pk, &combined_pk, &pre_session, ncs, msg, nonce[0], sk[1], session_id[1]); CHECK(memcmp(msghash1, msghash2, 32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[1], &signers1[1], &partial_sig[1], &pk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[1], &signers1[1], &partial_sig[1], &pk[1]) == 1); /* Wrong signature */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[1], &signers1[1], &partial_sig[0], &pk[1]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[1], &signers1[1], &partial_sig[0], &pk[1]) == 0); /* Can't get the public nonce until msg is set */ musig_state_machine_late_msg_test(pk, &combined_pk, &pre_session, nonce_commitment[0], nonce[0], sk[1], session_id[1], msg); } - rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); + rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); } -void scriptless_atomic_swap(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { +void scriptless_atomic_swap(rustsecp256k1zkp_v0_6_0_scratch_space *scratch) { /* Throughout this test "a" and "b" refer to two hypothetical blockchains, * while the indices 0 and 1 refer to the two signers. Here signer 0 is * sending a-coins to signer 1, while signer 1 is sending b-coins to signer * 0. Signer 0 produces the adaptor signatures. */ unsigned char final_sig_a[64]; unsigned char final_sig_b[64]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig_a[2]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig_b_adapted[2]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig_b[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig_a[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig_b_adapted[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig_b[2]; unsigned char sec_adaptor[32]; unsigned char sec_adaptor_extracted[32]; - rustsecp256k1zkp_v0_5_0_pubkey pub_adaptor; + rustsecp256k1zkp_v0_6_0_pubkey pub_adaptor; unsigned char seckey_a[2][32]; unsigned char seckey_b[2][32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk_a[2]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk_b[2]; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session_a; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session_b; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk_a; - rustsecp256k1zkp_v0_5_0_xonly_pubkey combined_pk_b; - rustsecp256k1zkp_v0_5_0_musig_session musig_session_a[2]; - rustsecp256k1zkp_v0_5_0_musig_session musig_session_b[2]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk_a[2]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk_b[2]; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session_a; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session_b; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk_a; + rustsecp256k1zkp_v0_6_0_xonly_pubkey combined_pk_b; + rustsecp256k1zkp_v0_6_0_musig_session musig_session_a[2]; + rustsecp256k1zkp_v0_6_0_musig_session musig_session_b[2]; unsigned char noncommit_a[2][32]; unsigned char noncommit_b[2][32]; const unsigned char *noncommit_a_ptr[2]; @@ -751,198 +751,198 @@ void scriptless_atomic_swap(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { unsigned char pubnon_b[2][32]; int combined_nonce_parity_a; int combined_nonce_parity_b; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data data_a[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data data_b[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data data_a[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data data_b[2]; const unsigned char seed[32] = "still tired of choosing seeds..."; const unsigned char msg32_a[32] = "this is the message blockchain a"; const unsigned char msg32_b[32] = "this is the message blockchain b"; /* Step 1: key setup */ - rustsecp256k1zkp_v0_5_0_testrand256(seckey_a[0]); - rustsecp256k1zkp_v0_5_0_testrand256(seckey_a[1]); - rustsecp256k1zkp_v0_5_0_testrand256(seckey_b[0]); - rustsecp256k1zkp_v0_5_0_testrand256(seckey_b[1]); - rustsecp256k1zkp_v0_5_0_testrand256(sec_adaptor); - - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk_a[0], seckey_a[0])); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk_a[1], seckey_a[1])); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk_b[0], seckey_b[0])); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk_b[1], seckey_b[1])); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pub_adaptor, sec_adaptor)); - - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, scratch, &combined_pk_a, &pre_session_a, pk_a, 2)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, scratch, &combined_pk_b, &pre_session_b, pk_b, 2)); - - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &musig_session_a[0], data_a, noncommit_a[0], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 0, seckey_a[0])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &musig_session_a[1], data_a, noncommit_a[1], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 1, seckey_a[1])); + rustsecp256k1zkp_v0_6_0_testrand256(seckey_a[0]); + rustsecp256k1zkp_v0_6_0_testrand256(seckey_a[1]); + rustsecp256k1zkp_v0_6_0_testrand256(seckey_b[0]); + rustsecp256k1zkp_v0_6_0_testrand256(seckey_b[1]); + rustsecp256k1zkp_v0_6_0_testrand256(sec_adaptor); + + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk_a[0], seckey_a[0])); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk_a[1], seckey_a[1])); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk_b[0], seckey_b[0])); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk_b[1], seckey_b[1])); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pub_adaptor, sec_adaptor)); + + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, scratch, &combined_pk_a, &pre_session_a, pk_a, 2)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, scratch, &combined_pk_b, &pre_session_b, pk_b, 2)); + + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &musig_session_a[0], data_a, noncommit_a[0], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 0, seckey_a[0])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &musig_session_a[1], data_a, noncommit_a[1], seed, msg32_a, &combined_pk_a, &pre_session_a, 2, 1, seckey_a[1])); noncommit_a_ptr[0] = noncommit_a[0]; noncommit_a_ptr[1] = noncommit_a[1]; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &musig_session_b[0], data_b, noncommit_b[0], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 0, seckey_b[0])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &musig_session_b[1], data_b, noncommit_b[1], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 1, seckey_b[1])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &musig_session_b[0], data_b, noncommit_b[0], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 0, seckey_b[0])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &musig_session_b[1], data_b, noncommit_b[1], seed, msg32_b, &combined_pk_b, &pre_session_b, 2, 1, seckey_b[1])); noncommit_b_ptr[0] = noncommit_b[0]; noncommit_b_ptr[1] = noncommit_b[1]; /* Step 2: Exchange nonces */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &musig_session_a[0], data_a, pubnon_a[0], noncommit_a_ptr, 2, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &musig_session_a[1], data_a, pubnon_a[1], noncommit_a_ptr, 2, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &musig_session_b[0], data_b, pubnon_b[0], noncommit_b_ptr, 2, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &musig_session_b[1], data_b, pubnon_b[1], noncommit_b_ptr, 2, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &data_a[0], pubnon_a[0])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &data_a[1], pubnon_a[1])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &data_b[0], pubnon_b[0])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &data_b[1], pubnon_b[1])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &musig_session_a[0], data_a, 2, &combined_nonce_parity_a, &pub_adaptor)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &musig_session_a[1], data_a, 2, NULL, &pub_adaptor)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &musig_session_b[0], data_b, 2, &combined_nonce_parity_b, &pub_adaptor)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &musig_session_b[1], data_b, 2, NULL, &pub_adaptor)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &musig_session_a[0], data_a, pubnon_a[0], noncommit_a_ptr, 2, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &musig_session_a[1], data_a, pubnon_a[1], noncommit_a_ptr, 2, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &musig_session_b[0], data_b, pubnon_b[0], noncommit_b_ptr, 2, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &musig_session_b[1], data_b, pubnon_b[1], noncommit_b_ptr, 2, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &data_a[0], pubnon_a[0])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &data_a[1], pubnon_a[1])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &data_b[0], pubnon_b[0])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &data_b[1], pubnon_b[1])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &musig_session_a[0], data_a, 2, &combined_nonce_parity_a, &pub_adaptor)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &musig_session_a[1], data_a, 2, NULL, &pub_adaptor)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &musig_session_b[0], data_b, 2, &combined_nonce_parity_b, &pub_adaptor)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &musig_session_b[1], data_b, 2, NULL, &pub_adaptor)); /* Step 3: Signer 0 produces partial signatures for both chains. */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &musig_session_a[0], &partial_sig_a[0])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &musig_session_b[0], &partial_sig_b[0])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &musig_session_a[0], &partial_sig_a[0])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &musig_session_b[0], &partial_sig_b[0])); /* Step 4: Signer 1 receives partial signatures, verifies them and creates a * partial signature to send B-coins to signer 0. */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &musig_session_a[1], data_a, &partial_sig_a[0], &pk_a[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &musig_session_b[1], data_b, &partial_sig_b[0], &pk_b[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &musig_session_b[1], &partial_sig_b[1])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &musig_session_a[1], data_a, &partial_sig_a[0], &pk_a[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &musig_session_b[1], data_b, &partial_sig_b[0], &pk_b[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &musig_session_b[1], &partial_sig_b[1])); /* Step 5: Signer 0 adapts its own partial signature and combines it with the * partial signature from signer 1. This results in a complete signature which * is broadcasted by signer 0 to take B-coins. */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(ctx, &partial_sig_b_adapted[0], &partial_sig_b[0], sec_adaptor, combined_nonce_parity_b)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(ctx, &partial_sig_b_adapted[0], &partial_sig_b[0], sec_adaptor, combined_nonce_parity_b)); memcpy(&partial_sig_b_adapted[1], &partial_sig_b[1], sizeof(partial_sig_b_adapted[1])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(ctx, &musig_session_b[0], final_sig_b, partial_sig_b_adapted, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, final_sig_b, msg32_b, &combined_pk_b) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(ctx, &musig_session_b[0], final_sig_b, partial_sig_b_adapted, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, final_sig_b, msg32_b, &combined_pk_b) == 1); /* Step 6: Signer 1 extracts adaptor from the published signature, applies it to * other partial signature, and takes A-coins. */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_extract_secret_adaptor(ctx, sec_adaptor_extracted, final_sig_b, partial_sig_b, 2, combined_nonce_parity_b) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_extract_secret_adaptor(ctx, sec_adaptor_extracted, final_sig_b, partial_sig_b, 2, combined_nonce_parity_b) == 1); CHECK(memcmp(sec_adaptor_extracted, sec_adaptor, sizeof(sec_adaptor)) == 0); /* in real life we couldn't check this, of course */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_adapt(ctx, &partial_sig_a[0], &partial_sig_a[0], sec_adaptor_extracted, combined_nonce_parity_a)); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &musig_session_a[1], &partial_sig_a[1])); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(ctx, &musig_session_a[1], final_sig_a, partial_sig_a, 2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, final_sig_a, msg32_a, &combined_pk_a) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_adapt(ctx, &partial_sig_a[0], &partial_sig_a[0], sec_adaptor_extracted, combined_nonce_parity_a)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &musig_session_a[1], &partial_sig_a[1])); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(ctx, &musig_session_a[1], final_sig_a, partial_sig_a, 2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, final_sig_a, msg32_a, &combined_pk_a) == 1); } -/* Checks that hash initialized by rustsecp256k1zkp_v0_5_0_musig_sha256_init_tagged has the +/* Checks that hash initialized by rustsecp256k1zkp_v0_6_0_musig_sha256_init_tagged has the * expected state. */ void sha256_tag_test(void) { char tag[17] = "MuSig coefficient"; - rustsecp256k1zkp_v0_5_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_sha256 sha_tagged; + rustsecp256k1zkp_v0_6_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha_tagged; unsigned char buf[32]; unsigned char buf2[32]; size_t i; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, (unsigned char *) tag, 17); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, buf); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, (unsigned char *) tag, 17); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, buf); /* buf = SHA256("MuSig coefficient") */ - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, buf, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, buf, 32); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, buf, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, buf, 32); /* Is buffer fully consumed? */ CHECK((sha.bytes & 0x3F) == 0); /* Compare with tagged SHA */ - rustsecp256k1zkp_v0_5_0_musig_sha256_init_tagged(&sha_tagged); + rustsecp256k1zkp_v0_6_0_musig_sha256_init_tagged(&sha_tagged); for (i = 0; i < 8; i++) { CHECK(sha_tagged.s[i] == sha.s[i]); } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, buf, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha_tagged, buf, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, buf); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha_tagged, buf2); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, buf, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha_tagged, buf, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, buf); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha_tagged, buf2); CHECK(memcmp(buf, buf2, 32) == 0); } /* Attempts to create a signature for the combined public key using given secret * keys and pre_session. */ -void musig_tweak_test_helper(const rustsecp256k1zkp_v0_5_0_xonly_pubkey* combined_pubkey, const unsigned char *sk0, const unsigned char *sk1, rustsecp256k1zkp_v0_5_0_musig_pre_session *pre_session) { - rustsecp256k1zkp_v0_5_0_musig_session session[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers0[2]; - rustsecp256k1zkp_v0_5_0_musig_session_signer_data signers1[2]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk[2]; +void musig_tweak_test_helper(const rustsecp256k1zkp_v0_6_0_xonly_pubkey* combined_pubkey, const unsigned char *sk0, const unsigned char *sk1, rustsecp256k1zkp_v0_6_0_musig_pre_session *pre_session) { + rustsecp256k1zkp_v0_6_0_musig_session session[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers0[2]; + rustsecp256k1zkp_v0_6_0_musig_session_signer_data signers1[2]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk[2]; unsigned char session_id[2][32]; unsigned char msg[32]; unsigned char nonce_commitment[2][32]; unsigned char nonce[2][32]; const unsigned char *ncs[2]; - rustsecp256k1zkp_v0_5_0_musig_partial_signature partial_sig[2]; + rustsecp256k1zkp_v0_6_0_musig_partial_signature partial_sig[2]; unsigned char final_sig[64]; - rustsecp256k1zkp_v0_5_0_testrand256(session_id[0]); - rustsecp256k1zkp_v0_5_0_testrand256(session_id[1]); - rustsecp256k1zkp_v0_5_0_testrand256(msg); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[0]); + rustsecp256k1zkp_v0_6_0_testrand256(session_id[1]); + rustsecp256k1zkp_v0_6_0_testrand256(msg); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[0], sk0) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[1], sk1) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[0], sk0) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[1], sk1) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session[0], signers0, nonce_commitment[0], session_id[0], msg, combined_pubkey, pre_session, 2, 0, sk0) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_init(ctx, &session[1], signers1, nonce_commitment[1], session_id[1], msg, combined_pubkey, pre_session, 2, 1, sk1) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session[0], signers0, nonce_commitment[0], session_id[0], msg, combined_pubkey, pre_session, 2, 0, sk0) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_init(ctx, &session[1], signers1, nonce_commitment[1], session_id[1], msg, combined_pubkey, pre_session, 2, 1, sk1) == 1); /* Set nonce commitments */ ncs[0] = nonce_commitment[0]; ncs[1] = nonce_commitment[1]; - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session[0], signers0, nonce[0], ncs, 2, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_get_public_nonce(ctx, &session[1], signers1, nonce[1], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session[0], signers0, nonce[0], ncs, 2, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_get_public_nonce(ctx, &session[1], signers1, nonce[1], ncs, 2, NULL) == 1); /* Set nonces */ - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers0[0], nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers0[1], nonce[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers1[0], nonce[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_set_nonce(ctx, &signers1[1], nonce[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session[0], signers0, 2, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[0], &signers0[1], &partial_sig[1], &pk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_verify(ctx, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_partial_sig_combine(ctx, &session[0], final_sig, partial_sig, 2)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, final_sig, msg, combined_pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers0[0], nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers0[1], nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers1[0], nonce[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_set_nonce(ctx, &signers1[1], nonce[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session[0], signers0, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_session_combine_nonces(ctx, &session[1], signers1, 2, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &session[0], &partial_sig[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sign(ctx, &session[1], &partial_sig[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[0], &signers0[1], &partial_sig[1], &pk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_verify(ctx, &session[1], &signers1[0], &partial_sig[0], &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_partial_sig_combine(ctx, &session[0], final_sig, partial_sig, 2)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, final_sig, msg, combined_pubkey) == 1); } /* In this test we create a combined public key P and a commitment Q = P + * hash(P, contract)*G. Then we test that we can sign for both public keys. In * order to sign for Q we use the tweak32 argument of partial_sig_combine. */ -void musig_tweak_test(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { +void musig_tweak_test(rustsecp256k1zkp_v0_6_0_scratch_space *scratch) { unsigned char sk[2][32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk[2]; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session_P; - rustsecp256k1zkp_v0_5_0_musig_pre_session pre_session_Q; - rustsecp256k1zkp_v0_5_0_xonly_pubkey P; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk[2]; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session_P; + rustsecp256k1zkp_v0_6_0_musig_pre_session pre_session_Q; + rustsecp256k1zkp_v0_6_0_xonly_pubkey P; unsigned char P_serialized[32]; - rustsecp256k1zkp_v0_5_0_pubkey Q; + rustsecp256k1zkp_v0_6_0_pubkey Q; int Q_parity; - rustsecp256k1zkp_v0_5_0_xonly_pubkey Q_xonly; + rustsecp256k1zkp_v0_6_0_xonly_pubkey Q_xonly; unsigned char Q_serialized[32]; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char contract[32]; unsigned char ec_commit_tweak[32]; /* Setup */ - rustsecp256k1zkp_v0_5_0_testrand256(sk[0]); - rustsecp256k1zkp_v0_5_0_testrand256(sk[1]); - rustsecp256k1zkp_v0_5_0_testrand256(contract); - - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_combine(ctx, scratch, &P, &pre_session_P, pk, 2) == 1); - - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, P_serialized, &P) == 1); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, P_serialized, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, contract, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, ec_commit_tweak); + rustsecp256k1zkp_v0_6_0_testrand256(sk[0]); + rustsecp256k1zkp_v0_6_0_testrand256(sk[1]); + rustsecp256k1zkp_v0_6_0_testrand256(contract); + + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[0], sk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_create(&pk[1], sk[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_combine(ctx, scratch, &P, &pre_session_P, pk, 2) == 1); + + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, P_serialized, &P) == 1); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, P_serialized, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, contract, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, ec_commit_tweak); pre_session_Q = pre_session_P; - CHECK(rustsecp256k1zkp_v0_5_0_musig_pubkey_tweak_add(ctx, &pre_session_Q, &Q, &P, ec_commit_tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_from_pubkey(ctx, &Q_xonly, &Q_parity, &Q)); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, Q_serialized, &Q_xonly)); + CHECK(rustsecp256k1zkp_v0_6_0_musig_pubkey_tweak_add(ctx, &pre_session_Q, &Q, &P, ec_commit_tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_from_pubkey(ctx, &Q_xonly, &Q_parity, &Q)); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, Q_serialized, &Q_xonly)); /* Check that musig_pubkey_tweak_add produces same result as * xonly_pubkey_tweak_add. */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, Q_serialized, Q_parity, &P, ec_commit_tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, Q_serialized, Q_parity, &P, ec_commit_tweak) == 1); /* Test signing for P */ musig_tweak_test_helper(&P, sk[0], sk[1], &pre_session_P); @@ -952,7 +952,7 @@ void musig_tweak_test(rustsecp256k1zkp_v0_5_0_scratch_space *scratch) { void run_musig_tests(void) { int i; - rustsecp256k1zkp_v0_5_0_scratch_space *scratch = rustsecp256k1zkp_v0_5_0_scratch_space_create(ctx, 1024 * 1024); + rustsecp256k1zkp_v0_6_0_scratch_space *scratch = rustsecp256k1zkp_v0_6_0_scratch_space_create(ctx, 1024 * 1024); for (i = 0; i < count; i++) { musig_simple_test(scratch); @@ -967,7 +967,7 @@ void run_musig_tests(void) { } sha256_tag_test(); - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(ctx, scratch); + rustsecp256k1zkp_v0_6_0_scratch_space_destroy(ctx, scratch); } #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/Makefile.am.include index dac434cb..21a15df0 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_rangeproof.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_rangeproof.h noinst_HEADERS += src/modules/rangeproof/main_impl.h noinst_HEADERS += src/modules/rangeproof/pedersen.h noinst_HEADERS += src/modules/rangeproof/pedersen_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean.h index b742a508..73b93413 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean.h @@ -14,11 +14,11 @@ #include "ecmult.h" #include "ecmult_gen.h" -int rustsecp256k1zkp_v0_5_0_borromean_verify(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_scalar *evalues, const unsigned char *e0, const rustsecp256k1zkp_v0_5_0_scalar *s, - const rustsecp256k1zkp_v0_5_0_gej *pubs, const size_t *rsizes, size_t nrings, const unsigned char *m, size_t mlen); +int rustsecp256k1zkp_v0_6_0_borromean_verify(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_scalar *evalues, const unsigned char *e0, const rustsecp256k1zkp_v0_6_0_scalar *s, + const rustsecp256k1zkp_v0_6_0_gej *pubs, const size_t *rsizes, size_t nrings, const unsigned char *m, size_t mlen); -int rustsecp256k1zkp_v0_5_0_borromean_sign(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ecmult_gen_ctx, - unsigned char *e0, rustsecp256k1zkp_v0_5_0_scalar *s, const rustsecp256k1zkp_v0_5_0_gej *pubs, const rustsecp256k1zkp_v0_5_0_scalar *k, const rustsecp256k1zkp_v0_5_0_scalar *sec, +int rustsecp256k1zkp_v0_6_0_borromean_sign(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ecmult_gen_ctx, + unsigned char *e0, rustsecp256k1zkp_v0_6_0_scalar *s, const rustsecp256k1zkp_v0_6_0_gej *pubs, const rustsecp256k1zkp_v0_6_0_scalar *k, const rustsecp256k1zkp_v0_6_0_scalar *sec, const size_t *rsizes, const size_t *secidx, size_t nrings, const unsigned char *m, size_t mlen); #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean_impl.h index 21bb8e27..cfaeb7c1 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/borromean_impl.h @@ -26,19 +26,19 @@ #define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) #endif -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_borromean_hash(unsigned char *hash, const unsigned char *m, size_t mlen, const unsigned char *e, size_t elen, +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_borromean_hash(unsigned char *hash, const unsigned char *m, size_t mlen, const unsigned char *e, size_t elen, size_t ridx, size_t eidx) { uint32_t ring; uint32_t epos; - rustsecp256k1zkp_v0_5_0_sha256 sha256_en; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_en); + rustsecp256k1zkp_v0_6_0_sha256 sha256_en; + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_en); ring = BE32((uint32_t)ridx); epos = BE32((uint32_t)eidx); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_en, e, elen); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_en, m, mlen); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_en, (unsigned char*)&ring, 4); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_en, (unsigned char*)&epos, 4); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_en, hash); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_en, e, elen); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_en, m, mlen); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_en, (unsigned char*)&ring, 4); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_en, (unsigned char*)&epos, 4); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_en, hash); } /** "Borromean" ring signature. @@ -55,12 +55,12 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_borromean_hash(unsigned cha * | | r_i = r * | return e_0 ==== H(r_{0..i}||m) */ -int rustsecp256k1zkp_v0_5_0_borromean_verify(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_scalar *evalues, const unsigned char *e0, - const rustsecp256k1zkp_v0_5_0_scalar *s, const rustsecp256k1zkp_v0_5_0_gej *pubs, const size_t *rsizes, size_t nrings, const unsigned char *m, size_t mlen) { - rustsecp256k1zkp_v0_5_0_gej rgej; - rustsecp256k1zkp_v0_5_0_ge rge; - rustsecp256k1zkp_v0_5_0_scalar ens; - rustsecp256k1zkp_v0_5_0_sha256 sha256_e0; +int rustsecp256k1zkp_v0_6_0_borromean_verify(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_scalar *evalues, const unsigned char *e0, + const rustsecp256k1zkp_v0_6_0_scalar *s, const rustsecp256k1zkp_v0_6_0_gej *pubs, const size_t *rsizes, size_t nrings, const unsigned char *m, size_t mlen) { + rustsecp256k1zkp_v0_6_0_gej rgej; + rustsecp256k1zkp_v0_6_0_ge rge; + rustsecp256k1zkp_v0_6_0_scalar ens; + rustsecp256k1zkp_v0_6_0_sha256 sha256_e0; unsigned char tmp[33]; size_t i; size_t j; @@ -75,47 +75,47 @@ int rustsecp256k1zkp_v0_5_0_borromean_verify(const rustsecp256k1zkp_v0_5_0_ecmul VERIFY_CHECK(nrings > 0); VERIFY_CHECK(m != NULL); count = 0; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_e0); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_e0); for (i = 0; i < nrings; i++) { VERIFY_CHECK(INT_MAX - count > rsizes[i]); - rustsecp256k1zkp_v0_5_0_borromean_hash(tmp, m, mlen, e0, 32, i, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&ens, tmp, &overflow); + rustsecp256k1zkp_v0_6_0_borromean_hash(tmp, m, mlen, e0, 32, i, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&ens, tmp, &overflow); for (j = 0; j < rsizes[i]; j++) { - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s[count]) || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&ens) || rustsecp256k1zkp_v0_5_0_gej_is_infinity(&pubs[count])) { + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s[count]) || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&ens) || rustsecp256k1zkp_v0_6_0_gej_is_infinity(&pubs[count])) { return 0; } if (evalues) { /*If requested, save the challenges for proof rewind.*/ evalues[count] = ens; } - rustsecp256k1zkp_v0_5_0_ecmult(ecmult_ctx, &rgej, &pubs[count], &ens, &s[count]); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&rgej)) { + rustsecp256k1zkp_v0_6_0_ecmult(ecmult_ctx, &rgej, &pubs[count], &ens, &s[count]); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&rgej)) { return 0; } /* OPT: loop can be hoisted and split to use batch inversion across all the rings; this would make it much faster. */ - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&rge, &rgej); - rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&rge, &rgej); + rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); if (j != rsizes[i] - 1) { - rustsecp256k1zkp_v0_5_0_borromean_hash(tmp, m, mlen, tmp, 33, i, j + 1); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&ens, tmp, &overflow); + rustsecp256k1zkp_v0_6_0_borromean_hash(tmp, m, mlen, tmp, 33, i, j + 1); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&ens, tmp, &overflow); } else { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_e0, tmp, size); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_e0, tmp, size); } count++; } } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_e0, m, mlen); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_e0, tmp); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_e0, m, mlen); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_e0, tmp); return memcmp(e0, tmp, 32) == 0; } -int rustsecp256k1zkp_v0_5_0_borromean_sign(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ecmult_gen_ctx, - unsigned char *e0, rustsecp256k1zkp_v0_5_0_scalar *s, const rustsecp256k1zkp_v0_5_0_gej *pubs, const rustsecp256k1zkp_v0_5_0_scalar *k, const rustsecp256k1zkp_v0_5_0_scalar *sec, +int rustsecp256k1zkp_v0_6_0_borromean_sign(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ecmult_gen_ctx, + unsigned char *e0, rustsecp256k1zkp_v0_6_0_scalar *s, const rustsecp256k1zkp_v0_6_0_gej *pubs, const rustsecp256k1zkp_v0_6_0_scalar *k, const rustsecp256k1zkp_v0_6_0_scalar *sec, const size_t *rsizes, const size_t *secidx, size_t nrings, const unsigned char *m, size_t mlen) { - rustsecp256k1zkp_v0_5_0_gej rgej; - rustsecp256k1zkp_v0_5_0_ge rge; - rustsecp256k1zkp_v0_5_0_scalar ens; - rustsecp256k1zkp_v0_5_0_sha256 sha256_e0; + rustsecp256k1zkp_v0_6_0_gej rgej; + rustsecp256k1zkp_v0_6_0_ge rge; + rustsecp256k1zkp_v0_6_0_scalar ens; + rustsecp256k1zkp_v0_6_0_sha256 sha256_e0; unsigned char tmp[33]; size_t i; size_t j; @@ -133,70 +133,70 @@ int rustsecp256k1zkp_v0_5_0_borromean_sign(const rustsecp256k1zkp_v0_5_0_ecmult_ VERIFY_CHECK(secidx != NULL); VERIFY_CHECK(nrings > 0); VERIFY_CHECK(m != NULL); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_e0); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_e0); count = 0; for (i = 0; i < nrings; i++) { VERIFY_CHECK(INT_MAX - count > rsizes[i]); - rustsecp256k1zkp_v0_5_0_ecmult_gen(ecmult_gen_ctx, &rgej, &k[i]); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&rge, &rgej); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&rgej)) { + rustsecp256k1zkp_v0_6_0_ecmult_gen(ecmult_gen_ctx, &rgej, &k[i]); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&rge, &rgej); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&rgej)) { return 0; } - rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); + rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); for (j = secidx[i] + 1; j < rsizes[i]; j++) { - rustsecp256k1zkp_v0_5_0_borromean_hash(tmp, m, mlen, tmp, 33, i, j); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&ens, tmp, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&ens)) { + rustsecp256k1zkp_v0_6_0_borromean_hash(tmp, m, mlen, tmp, 33, i, j); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&ens, tmp, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&ens)) { return 0; } /** The signing algorithm as a whole is not memory uniform so there is likely a cache sidechannel that * leaks which members are non-forgeries. That the forgeries themselves are variable time may leave * an additional privacy impacting timing side-channel, but not a key loss one. */ - rustsecp256k1zkp_v0_5_0_ecmult(ecmult_ctx, &rgej, &pubs[count + j], &ens, &s[count + j]); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&rgej)) { + rustsecp256k1zkp_v0_6_0_ecmult(ecmult_ctx, &rgej, &pubs[count + j], &ens, &s[count + j]); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&rgej)) { return 0; } - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&rge, &rgej); - rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&rge, &rgej); + rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_e0, tmp, size); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_e0, tmp, size); count += rsizes[i]; } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_e0, m, mlen); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_e0, e0); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_e0, m, mlen); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_e0, e0); count = 0; for (i = 0; i < nrings; i++) { VERIFY_CHECK(INT_MAX - count > rsizes[i]); - rustsecp256k1zkp_v0_5_0_borromean_hash(tmp, m, mlen, e0, 32, i, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&ens, tmp, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&ens)) { + rustsecp256k1zkp_v0_6_0_borromean_hash(tmp, m, mlen, e0, 32, i, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&ens, tmp, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&ens)) { return 0; } for (j = 0; j < secidx[i]; j++) { - rustsecp256k1zkp_v0_5_0_ecmult(ecmult_ctx, &rgej, &pubs[count + j], &ens, &s[count + j]); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&rgej)) { + rustsecp256k1zkp_v0_6_0_ecmult(ecmult_ctx, &rgej, &pubs[count + j], &ens, &s[count + j]); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&rgej)) { return 0; } - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&rge, &rgej); - rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); - rustsecp256k1zkp_v0_5_0_borromean_hash(tmp, m, mlen, tmp, 33, i, j + 1); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&ens, tmp, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&ens)) { + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&rge, &rgej); + rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&rge, tmp, &size, 1); + rustsecp256k1zkp_v0_6_0_borromean_hash(tmp, m, mlen, tmp, 33, i, j + 1); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&ens, tmp, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&ens)) { return 0; } } - rustsecp256k1zkp_v0_5_0_scalar_mul(&s[count + j], &ens, &sec[i]); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s[count + j], &s[count + j]); - rustsecp256k1zkp_v0_5_0_scalar_add(&s[count + j], &s[count + j], &k[i]); - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s[count + j])) { + rustsecp256k1zkp_v0_6_0_scalar_mul(&s[count + j], &ens, &sec[i]); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s[count + j], &s[count + j]); + rustsecp256k1zkp_v0_6_0_scalar_add(&s[count + j], &s[count + j], &k[i]); + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s[count + j])) { return 0; } count += rsizes[i]; } - rustsecp256k1zkp_v0_5_0_scalar_clear(&ens); - rustsecp256k1zkp_v0_5_0_ge_clear(&rge); - rustsecp256k1zkp_v0_5_0_gej_clear(&rgej); + rustsecp256k1zkp_v0_6_0_scalar_clear(&ens); + rustsecp256k1zkp_v0_6_0_ge_clear(&rge); + rustsecp256k1zkp_v0_6_0_gej_clear(&rgej); memset(tmp, 0, 33); return 1; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/main_impl.h index 3785f3ca..fb7c7ccd 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/main_impl.h @@ -24,33 +24,33 @@ H = EllipticCurve ([F (0), F (7)]).lift_x(F(int(hashlib.sha256(G.decode('hex')).hexdigest(),16))) print('%x %x' % H.xy()) */ -static const rustsecp256k1zkp_v0_5_0_generator rustsecp256k1zkp_v0_5_0_generator_h_internal = {{ +static const rustsecp256k1zkp_v0_6_0_generator rustsecp256k1zkp_v0_6_0_generator_h_internal = {{ 0x50, 0x92, 0x9b, 0x74, 0xc1, 0xa0, 0x49, 0x54, 0xb7, 0x8b, 0x4b, 0x60, 0x35, 0xe9, 0x7a, 0x5e, 0x07, 0x8a, 0x5a, 0x0f, 0x28, 0xec, 0x96, 0xd5, 0x47, 0xbf, 0xee, 0x9a, 0xce, 0x80, 0x3a, 0xc0, 0x31, 0xd3, 0xc6, 0x86, 0x39, 0x73, 0x92, 0x6e, 0x04, 0x9e, 0x63, 0x7c, 0xb1, 0xb5, 0xf4, 0x0a, 0x36, 0xda, 0xc2, 0x8a, 0xf1, 0x76, 0x69, 0x68, 0xc3, 0x0c, 0x23, 0x13, 0xf3, 0xa3, 0x89, 0x04 }}; -const rustsecp256k1zkp_v0_5_0_generator *rustsecp256k1zkp_v0_5_0_generator_h = &rustsecp256k1zkp_v0_5_0_generator_h_internal; +const rustsecp256k1zkp_v0_6_0_generator *rustsecp256k1zkp_v0_6_0_generator_h = &rustsecp256k1zkp_v0_6_0_generator_h_internal; -static void rustsecp256k1zkp_v0_5_0_pedersen_commitment_load(rustsecp256k1zkp_v0_5_0_ge* ge, const rustsecp256k1zkp_v0_5_0_pedersen_commitment* commit) { - rustsecp256k1zkp_v0_5_0_fe fe; - rustsecp256k1zkp_v0_5_0_fe_set_b32(&fe, &commit->data[1]); - rustsecp256k1zkp_v0_5_0_ge_set_xquad(ge, &fe); +static void rustsecp256k1zkp_v0_6_0_pedersen_commitment_load(rustsecp256k1zkp_v0_6_0_ge* ge, const rustsecp256k1zkp_v0_6_0_pedersen_commitment* commit) { + rustsecp256k1zkp_v0_6_0_fe fe; + rustsecp256k1zkp_v0_6_0_fe_set_b32(&fe, &commit->data[1]); + rustsecp256k1zkp_v0_6_0_ge_set_xquad(ge, &fe); if (commit->data[0] & 1) { - rustsecp256k1zkp_v0_5_0_ge_neg(ge, ge); + rustsecp256k1zkp_v0_6_0_ge_neg(ge, ge); } } -static void rustsecp256k1zkp_v0_5_0_pedersen_commitment_save(rustsecp256k1zkp_v0_5_0_pedersen_commitment* commit, rustsecp256k1zkp_v0_5_0_ge* ge) { - rustsecp256k1zkp_v0_5_0_fe_normalize(&ge->x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&commit->data[1], &ge->x); - commit->data[0] = 9 ^ rustsecp256k1zkp_v0_5_0_fe_is_quad_var(&ge->y); +static void rustsecp256k1zkp_v0_6_0_pedersen_commitment_save(rustsecp256k1zkp_v0_6_0_pedersen_commitment* commit, rustsecp256k1zkp_v0_6_0_ge* ge) { + rustsecp256k1zkp_v0_6_0_fe_normalize(&ge->x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&commit->data[1], &ge->x); + commit->data[0] = 9 ^ rustsecp256k1zkp_v0_6_0_fe_is_quad_var(&ge->y); } -int rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pedersen_commitment* commit, const unsigned char *input) { - rustsecp256k1zkp_v0_5_0_fe x; - rustsecp256k1zkp_v0_5_0_ge ge; +int rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pedersen_commitment* commit, const unsigned char *input) { + rustsecp256k1zkp_v0_6_0_fe x; + rustsecp256k1zkp_v0_6_0_ge ge; VERIFY_CHECK(ctx != NULL); ARG_CHECK(commit != NULL); @@ -58,67 +58,67 @@ int rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse(const rustsecp256k1zkp_v0_ (void) ctx; if ((input[0] & 0xFE) != 8 || - !rustsecp256k1zkp_v0_5_0_fe_set_b32(&x, &input[1]) || - !rustsecp256k1zkp_v0_5_0_ge_set_xquad(&ge, &x)) { + !rustsecp256k1zkp_v0_6_0_fe_set_b32(&x, &input[1]) || + !rustsecp256k1zkp_v0_6_0_ge_set_xquad(&ge, &x)) { return 0; } if (input[0] & 1) { - rustsecp256k1zkp_v0_5_0_ge_neg(&ge, &ge); + rustsecp256k1zkp_v0_6_0_ge_neg(&ge, &ge); } - rustsecp256k1zkp_v0_5_0_pedersen_commitment_save(commit, &ge); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_save(commit, &ge); return 1; } -int rustsecp256k1zkp_v0_5_0_pedersen_commitment_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, const rustsecp256k1zkp_v0_5_0_pedersen_commitment* commit) { - rustsecp256k1zkp_v0_5_0_ge ge; +int rustsecp256k1zkp_v0_6_0_pedersen_commitment_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, const rustsecp256k1zkp_v0_6_0_pedersen_commitment* commit) { + rustsecp256k1zkp_v0_6_0_ge ge; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output != NULL); ARG_CHECK(commit != NULL); - rustsecp256k1zkp_v0_5_0_pedersen_commitment_load(&ge, commit); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_load(&ge, commit); - output[0] = 9 ^ rustsecp256k1zkp_v0_5_0_fe_is_quad_var(&ge.y); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&output[1], &ge.x); + output[0] = 9 ^ rustsecp256k1zkp_v0_6_0_fe_is_quad_var(&ge.y); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&output[1], &ge.x); return 1; } /* Generates a pedersen commitment: *commit = blind * G + value * G2. The blinding factor is 32 bytes.*/ -int rustsecp256k1zkp_v0_5_0_pedersen_commit(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, const unsigned char *blind, uint64_t value, const rustsecp256k1zkp_v0_5_0_generator* gen) { - rustsecp256k1zkp_v0_5_0_ge genp; - rustsecp256k1zkp_v0_5_0_gej rj; - rustsecp256k1zkp_v0_5_0_ge r; - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_pedersen_commit(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *blind, uint64_t value, const rustsecp256k1zkp_v0_6_0_generator* gen) { + rustsecp256k1zkp_v0_6_0_ge genp; + rustsecp256k1zkp_v0_6_0_gej rj; + rustsecp256k1zkp_v0_6_0_ge r; + rustsecp256k1zkp_v0_6_0_scalar sec; int overflow; int ret = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(commit != NULL); ARG_CHECK(blind != NULL); ARG_CHECK(gen != NULL); - rustsecp256k1zkp_v0_5_0_generator_load(&genp, gen); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sec, blind, &overflow); + rustsecp256k1zkp_v0_6_0_generator_load(&genp, gen); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sec, blind, &overflow); if (!overflow) { - rustsecp256k1zkp_v0_5_0_pedersen_ecmult(&ctx->ecmult_gen_ctx, &rj, &sec, value, &genp); - if (!rustsecp256k1zkp_v0_5_0_gej_is_infinity(&rj)) { - rustsecp256k1zkp_v0_5_0_ge_set_gej(&r, &rj); - rustsecp256k1zkp_v0_5_0_pedersen_commitment_save(commit, &r); + rustsecp256k1zkp_v0_6_0_pedersen_ecmult(&ctx->ecmult_gen_ctx, &rj, &sec, value, &genp); + if (!rustsecp256k1zkp_v0_6_0_gej_is_infinity(&rj)) { + rustsecp256k1zkp_v0_6_0_ge_set_gej(&r, &rj); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_save(commit, &r); ret = 1; } - rustsecp256k1zkp_v0_5_0_gej_clear(&rj); - rustsecp256k1zkp_v0_5_0_ge_clear(&r); + rustsecp256k1zkp_v0_6_0_gej_clear(&rj); + rustsecp256k1zkp_v0_6_0_ge_clear(&r); } - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } /** Takes a list of n pointers to 32 byte blinding values, the first negs of which are treated with positive sign and the rest * negative, then calculates an additional blinding value that adds to zero. */ -int rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *blind_out, const unsigned char * const *blinds, size_t n, size_t npositive) { - rustsecp256k1zkp_v0_5_0_scalar acc; - rustsecp256k1zkp_v0_5_0_scalar x; +int rustsecp256k1zkp_v0_6_0_pedersen_blind_sum(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *blind_out, const unsigned char * const *blinds, size_t n, size_t npositive) { + rustsecp256k1zkp_v0_6_0_scalar acc; + rustsecp256k1zkp_v0_6_0_scalar x; size_t i; int overflow; VERIFY_CHECK(ctx != NULL); @@ -126,48 +126,48 @@ int rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(const rustsecp256k1zkp_v0_5_0_con ARG_CHECK(blinds != NULL); ARG_CHECK(npositive <= n); (void) ctx; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&acc, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&acc, 0); for (i = 0; i < n; i++) { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&x, blinds[i], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&x, blinds[i], &overflow); if (overflow) { return 0; } if (i >= npositive) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&x, &x); + rustsecp256k1zkp_v0_6_0_scalar_negate(&x, &x); } - rustsecp256k1zkp_v0_5_0_scalar_add(&acc, &acc, &x); + rustsecp256k1zkp_v0_6_0_scalar_add(&acc, &acc, &x); } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(blind_out, &acc); - rustsecp256k1zkp_v0_5_0_scalar_clear(&acc); - rustsecp256k1zkp_v0_5_0_scalar_clear(&x); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(blind_out, &acc); + rustsecp256k1zkp_v0_6_0_scalar_clear(&acc); + rustsecp256k1zkp_v0_6_0_scalar_clear(&x); return 1; } /* Takes two lists of commitments and sums the first set and subtracts the second and verifies that they sum to excess. */ -int rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_pedersen_commitment * const* commits, size_t pcnt, const rustsecp256k1zkp_v0_5_0_pedersen_commitment * const* ncommits, size_t ncnt) { - rustsecp256k1zkp_v0_5_0_gej accj; - rustsecp256k1zkp_v0_5_0_ge add; +int rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_pedersen_commitment * const* commits, size_t pcnt, const rustsecp256k1zkp_v0_6_0_pedersen_commitment * const* ncommits, size_t ncnt) { + rustsecp256k1zkp_v0_6_0_gej accj; + rustsecp256k1zkp_v0_6_0_ge add; size_t i; VERIFY_CHECK(ctx != NULL); ARG_CHECK(!pcnt || (commits != NULL)); ARG_CHECK(!ncnt || (ncommits != NULL)); (void) ctx; - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&accj); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&accj); for (i = 0; i < ncnt; i++) { - rustsecp256k1zkp_v0_5_0_pedersen_commitment_load(&add, ncommits[i]); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&accj, &accj, &add, NULL); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_load(&add, ncommits[i]); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&accj, &accj, &add, NULL); } - rustsecp256k1zkp_v0_5_0_gej_neg(&accj, &accj); + rustsecp256k1zkp_v0_6_0_gej_neg(&accj, &accj); for (i = 0; i < pcnt; i++) { - rustsecp256k1zkp_v0_5_0_pedersen_commitment_load(&add, commits[i]); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&accj, &accj, &add, NULL); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_load(&add, commits[i]); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&accj, &accj, &add, NULL); } - return rustsecp256k1zkp_v0_5_0_gej_is_infinity(&accj); + return rustsecp256k1zkp_v0_6_0_gej_is_infinity(&accj); } -int rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(const rustsecp256k1zkp_v0_5_0_context* ctx, const uint64_t *value, const unsigned char* const* generator_blind, unsigned char* const* blinding_factor, size_t n_total, size_t n_inputs) { - rustsecp256k1zkp_v0_5_0_scalar sum; - rustsecp256k1zkp_v0_5_0_scalar tmp; +int rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(const rustsecp256k1zkp_v0_6_0_context* ctx, const uint64_t *value, const unsigned char* const* generator_blind, unsigned char* const* blinding_factor, size_t n_total, size_t n_inputs) { + rustsecp256k1zkp_v0_6_0_scalar sum; + rustsecp256k1zkp_v0_6_0_scalar tmp; size_t i; VERIFY_CHECK(ctx != NULL); @@ -181,45 +181,45 @@ int rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(const rustsecp256 return 1; } - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sum, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sum, 0); for (i = 0; i < n_total; i++) { int overflow = 0; - rustsecp256k1zkp_v0_5_0_scalar addend; - rustsecp256k1zkp_v0_5_0_scalar_set_u64(&addend, value[i]); /* s = v */ + rustsecp256k1zkp_v0_6_0_scalar addend; + rustsecp256k1zkp_v0_6_0_scalar_set_u64(&addend, value[i]); /* s = v */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&tmp, generator_blind[i], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&tmp, generator_blind[i], &overflow); if (overflow == 1) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&tmp); - rustsecp256k1zkp_v0_5_0_scalar_clear(&addend); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sum); + rustsecp256k1zkp_v0_6_0_scalar_clear(&tmp); + rustsecp256k1zkp_v0_6_0_scalar_clear(&addend); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sum); return 0; } - rustsecp256k1zkp_v0_5_0_scalar_mul(&addend, &addend, &tmp); /* s = vr */ + rustsecp256k1zkp_v0_6_0_scalar_mul(&addend, &addend, &tmp); /* s = vr */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&tmp, blinding_factor[i], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&tmp, blinding_factor[i], &overflow); if (overflow == 1) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&tmp); - rustsecp256k1zkp_v0_5_0_scalar_clear(&addend); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sum); + rustsecp256k1zkp_v0_6_0_scalar_clear(&tmp); + rustsecp256k1zkp_v0_6_0_scalar_clear(&addend); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sum); return 0; } - rustsecp256k1zkp_v0_5_0_scalar_add(&addend, &addend, &tmp); /* s = vr + r' */ - rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&addend, i < n_inputs); /* s is negated if it's an input */ - rustsecp256k1zkp_v0_5_0_scalar_add(&sum, &sum, &addend); /* sum += s */ - rustsecp256k1zkp_v0_5_0_scalar_clear(&addend); + rustsecp256k1zkp_v0_6_0_scalar_add(&addend, &addend, &tmp); /* s = vr + r' */ + rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&addend, i < n_inputs); /* s is negated if it's an input */ + rustsecp256k1zkp_v0_6_0_scalar_add(&sum, &sum, &addend); /* sum += s */ + rustsecp256k1zkp_v0_6_0_scalar_clear(&addend); } /* Right now tmp has the last pedersen blinding factor. Subtract the sum from it. */ - rustsecp256k1zkp_v0_5_0_scalar_negate(&sum, &sum); - rustsecp256k1zkp_v0_5_0_scalar_add(&tmp, &tmp, &sum); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(blinding_factor[n_total - 1], &tmp); + rustsecp256k1zkp_v0_6_0_scalar_negate(&sum, &sum); + rustsecp256k1zkp_v0_6_0_scalar_add(&tmp, &tmp, &sum); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(blinding_factor[n_total - 1], &tmp); - rustsecp256k1zkp_v0_5_0_scalar_clear(&tmp); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sum); + rustsecp256k1zkp_v0_6_0_scalar_clear(&tmp); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sum); return 1; } -int rustsecp256k1zkp_v0_5_0_rangeproof_info(const rustsecp256k1zkp_v0_5_0_context* ctx, int *exp, int *mantissa, +int rustsecp256k1zkp_v0_6_0_rangeproof_info(const rustsecp256k1zkp_v0_6_0_context* ctx, int *exp, int *mantissa, uint64_t *min_value, uint64_t *max_value, const unsigned char *proof, size_t plen) { size_t offset; uint64_t scale; @@ -231,15 +231,15 @@ int rustsecp256k1zkp_v0_5_0_rangeproof_info(const rustsecp256k1zkp_v0_5_0_contex offset = 0; scale = 1; (void)ctx; - return rustsecp256k1zkp_v0_5_0_rangeproof_getheader_impl(&offset, exp, mantissa, &scale, min_value, max_value, proof, plen); + return rustsecp256k1zkp_v0_6_0_rangeproof_getheader_impl(&offset, exp, mantissa, &scale, min_value, max_value, proof, plen); } -int rustsecp256k1zkp_v0_5_0_rangeproof_rewind(const rustsecp256k1zkp_v0_5_0_context* ctx, +int rustsecp256k1zkp_v0_6_0_rangeproof_rewind(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *blind_out, uint64_t *value_out, unsigned char *message_out, size_t *outlen, const unsigned char *nonce, uint64_t *min_value, uint64_t *max_value, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_5_0_generator* gen) { - rustsecp256k1zkp_v0_5_0_ge commitp; - rustsecp256k1zkp_v0_5_0_ge genp; + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_6_0_generator* gen) { + rustsecp256k1zkp_v0_6_0_ge commitp; + rustsecp256k1zkp_v0_6_0_ge genp; VERIFY_CHECK(ctx != NULL); ARG_CHECK(commit != NULL); ARG_CHECK(proof != NULL); @@ -249,18 +249,18 @@ int rustsecp256k1zkp_v0_5_0_rangeproof_rewind(const rustsecp256k1zkp_v0_5_0_cont ARG_CHECK(nonce != NULL); ARG_CHECK(extra_commit != NULL || extra_commit_len == 0); ARG_CHECK(gen != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); - rustsecp256k1zkp_v0_5_0_pedersen_commitment_load(&commitp, commit); - rustsecp256k1zkp_v0_5_0_generator_load(&genp, gen); - return rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_load(&commitp, commit); + rustsecp256k1zkp_v0_6_0_generator_load(&genp, gen); + return rustsecp256k1zkp_v0_6_0_rangeproof_verify_impl(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, blind_out, value_out, message_out, outlen, nonce, min_value, max_value, &commitp, proof, plen, extra_commit, extra_commit_len, &genp); } -int rustsecp256k1zkp_v0_5_0_rangeproof_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, uint64_t *min_value, uint64_t *max_value, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_5_0_generator* gen) { - rustsecp256k1zkp_v0_5_0_ge commitp; - rustsecp256k1zkp_v0_5_0_ge genp; +int rustsecp256k1zkp_v0_6_0_rangeproof_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, uint64_t *min_value, uint64_t *max_value, + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_6_0_generator* gen) { + rustsecp256k1zkp_v0_6_0_ge commitp; + rustsecp256k1zkp_v0_6_0_ge genp; VERIFY_CHECK(ctx != NULL); ARG_CHECK(commit != NULL); ARG_CHECK(proof != NULL); @@ -268,18 +268,18 @@ int rustsecp256k1zkp_v0_5_0_rangeproof_verify(const rustsecp256k1zkp_v0_5_0_cont ARG_CHECK(max_value != NULL); ARG_CHECK(extra_commit != NULL || extra_commit_len == 0); ARG_CHECK(gen != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); - rustsecp256k1zkp_v0_5_0_pedersen_commitment_load(&commitp, commit); - rustsecp256k1zkp_v0_5_0_generator_load(&genp, gen); - return rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(&ctx->ecmult_ctx, NULL, + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_load(&commitp, commit); + rustsecp256k1zkp_v0_6_0_generator_load(&genp, gen); + return rustsecp256k1zkp_v0_6_0_rangeproof_verify_impl(&ctx->ecmult_ctx, NULL, NULL, NULL, NULL, NULL, NULL, min_value, max_value, &commitp, proof, plen, extra_commit, extra_commit_len, &genp); } -int rustsecp256k1zkp_v0_5_0_rangeproof_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *proof, size_t *plen, uint64_t min_value, - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit, const unsigned char *blind, const unsigned char *nonce, int exp, int min_bits, uint64_t value, - const unsigned char *message, size_t msg_len, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_5_0_generator* gen){ - rustsecp256k1zkp_v0_5_0_ge commitp; - rustsecp256k1zkp_v0_5_0_ge genp; +int rustsecp256k1zkp_v0_6_0_rangeproof_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *proof, size_t *plen, uint64_t min_value, + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit, const unsigned char *blind, const unsigned char *nonce, int exp, int min_bits, uint64_t value, + const unsigned char *message, size_t msg_len, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_6_0_generator* gen){ + rustsecp256k1zkp_v0_6_0_ge commitp; + rustsecp256k1zkp_v0_6_0_ge genp; VERIFY_CHECK(ctx != NULL); ARG_CHECK(proof != NULL); ARG_CHECK(plen != NULL); @@ -289,11 +289,11 @@ int rustsecp256k1zkp_v0_5_0_rangeproof_sign(const rustsecp256k1zkp_v0_5_0_contex ARG_CHECK(message != NULL || msg_len == 0); ARG_CHECK(extra_commit != NULL || extra_commit_len == 0); ARG_CHECK(gen != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); - rustsecp256k1zkp_v0_5_0_pedersen_commitment_load(&commitp, commit); - rustsecp256k1zkp_v0_5_0_generator_load(&genp, gen); - return rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + rustsecp256k1zkp_v0_6_0_pedersen_commitment_load(&commitp, commit); + rustsecp256k1zkp_v0_6_0_generator_load(&genp, gen); + return rustsecp256k1zkp_v0_6_0_rangeproof_sign_impl(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, proof, plen, min_value, &commitp, blind, nonce, exp, min_bits, value, message, msg_len, extra_commit, extra_commit_len, &genp); } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen.h index cadcdb89..687dbd63 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen.h @@ -14,9 +14,9 @@ #include /** Multiply a small number with the generator: r = gn*G2 */ -static void rustsecp256k1zkp_v0_5_0_pedersen_ecmult_small(rustsecp256k1zkp_v0_5_0_gej *r, uint64_t gn, const rustsecp256k1zkp_v0_5_0_ge* genp); +static void rustsecp256k1zkp_v0_6_0_pedersen_ecmult_small(rustsecp256k1zkp_v0_6_0_gej *r, uint64_t gn, const rustsecp256k1zkp_v0_6_0_ge* genp); /* sec * G + value * G2. */ -static void rustsecp256k1zkp_v0_5_0_pedersen_ecmult(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_5_0_gej *rj, const rustsecp256k1zkp_v0_5_0_scalar *sec, uint64_t value, const rustsecp256k1zkp_v0_5_0_ge* genp); +static void rustsecp256k1zkp_v0_6_0_pedersen_ecmult(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_6_0_gej *rj, const rustsecp256k1zkp_v0_6_0_scalar *sec, uint64_t value, const rustsecp256k1zkp_v0_6_0_ge* genp); #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen_impl.h index 40097b98..caf36709 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/pedersen_impl.h @@ -17,7 +17,7 @@ #include "scalar.h" #include "util.h" -static void rustsecp256k1zkp_v0_5_0_pedersen_scalar_set_u64(rustsecp256k1zkp_v0_5_0_scalar *sec, uint64_t value) { +static void rustsecp256k1zkp_v0_6_0_pedersen_scalar_set_u64(rustsecp256k1zkp_v0_6_0_scalar *sec, uint64_t value) { unsigned char data[32]; int i; for (i = 0; i < 24; i++) { @@ -27,25 +27,25 @@ static void rustsecp256k1zkp_v0_5_0_pedersen_scalar_set_u64(rustsecp256k1zkp_v0_ data[i] = value >> 56; value <<= 8; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(sec, data, NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(sec, data, NULL); memset(data, 0, 32); } -static void rustsecp256k1zkp_v0_5_0_pedersen_ecmult_small(rustsecp256k1zkp_v0_5_0_gej *r, uint64_t gn, const rustsecp256k1zkp_v0_5_0_ge* genp) { - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_pedersen_scalar_set_u64(&s, gn); - rustsecp256k1zkp_v0_5_0_ecmult_const(r, genp, &s, 64); - rustsecp256k1zkp_v0_5_0_scalar_clear(&s); +static void rustsecp256k1zkp_v0_6_0_pedersen_ecmult_small(rustsecp256k1zkp_v0_6_0_gej *r, uint64_t gn, const rustsecp256k1zkp_v0_6_0_ge* genp) { + rustsecp256k1zkp_v0_6_0_scalar s; + rustsecp256k1zkp_v0_6_0_pedersen_scalar_set_u64(&s, gn); + rustsecp256k1zkp_v0_6_0_ecmult_const(r, genp, &s, 64); + rustsecp256k1zkp_v0_6_0_scalar_clear(&s); } /* sec * G + value * G2. */ -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_pedersen_ecmult(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_5_0_gej *rj, const rustsecp256k1zkp_v0_5_0_scalar *sec, uint64_t value, const rustsecp256k1zkp_v0_5_0_ge* genp) { - rustsecp256k1zkp_v0_5_0_gej vj; - rustsecp256k1zkp_v0_5_0_ecmult_gen(ecmult_gen_ctx, rj, sec); - rustsecp256k1zkp_v0_5_0_pedersen_ecmult_small(&vj, value, genp); +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_pedersen_ecmult(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_6_0_gej *rj, const rustsecp256k1zkp_v0_6_0_scalar *sec, uint64_t value, const rustsecp256k1zkp_v0_6_0_ge* genp) { + rustsecp256k1zkp_v0_6_0_gej vj; + rustsecp256k1zkp_v0_6_0_ecmult_gen(ecmult_gen_ctx, rj, sec); + rustsecp256k1zkp_v0_6_0_pedersen_ecmult_small(&vj, value, genp); /* FIXME: constant time. */ - rustsecp256k1zkp_v0_5_0_gej_add_var(rj, rj, &vj, NULL); - rustsecp256k1zkp_v0_5_0_gej_clear(&vj); + rustsecp256k1zkp_v0_6_0_gej_add_var(rj, rj, &vj, NULL); + rustsecp256k1zkp_v0_6_0_gej_clear(&vj); } #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof.h index 80e9c9f8..7140f815 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof.h @@ -12,10 +12,10 @@ #include "ecmult.h" #include "ecmult_gen.h" -static int rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, - const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ecmult_gen_ctx, +static int rustsecp256k1zkp_v0_6_0_rangeproof_verify_impl(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, + const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ecmult_gen_ctx, unsigned char *blindout, uint64_t *value_out, unsigned char *message_out, size_t *outlen, const unsigned char *nonce, - uint64_t *min_value, uint64_t *max_value, const rustsecp256k1zkp_v0_5_0_ge *commit, const unsigned char *proof, size_t plen, - const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_5_0_ge* genp); + uint64_t *min_value, uint64_t *max_value, const rustsecp256k1zkp_v0_6_0_ge *commit, const unsigned char *proof, size_t plen, + const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_6_0_ge* genp); #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof_impl.h index a3540efe..dbad2b5b 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/rangeproof_impl.h @@ -18,9 +18,9 @@ #include "modules/rangeproof/pedersen.h" #include "modules/rangeproof/borromean.h" -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_rangeproof_pub_expand(rustsecp256k1zkp_v0_5_0_gej *pubs, - int exp, size_t *rsizes, size_t rings, const rustsecp256k1zkp_v0_5_0_ge* genp) { - rustsecp256k1zkp_v0_5_0_gej base; +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_rangeproof_pub_expand(rustsecp256k1zkp_v0_6_0_gej *pubs, + int exp, size_t *rsizes, size_t rings, const rustsecp256k1zkp_v0_6_0_ge* genp) { + rustsecp256k1zkp_v0_6_0_gej base; size_t i; size_t j; size_t npub; @@ -28,43 +28,43 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_rangeproof_pub_expand(rusts if (exp < 0) { exp = 0; } - rustsecp256k1zkp_v0_5_0_gej_set_ge(&base, genp); - rustsecp256k1zkp_v0_5_0_gej_neg(&base, &base); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&base, genp); + rustsecp256k1zkp_v0_6_0_gej_neg(&base, &base); while (exp--) { /* Multiplication by 10 */ - rustsecp256k1zkp_v0_5_0_gej tmp; - rustsecp256k1zkp_v0_5_0_gej_double_var(&tmp, &base, NULL); - rustsecp256k1zkp_v0_5_0_gej_double_var(&base, &tmp, NULL); - rustsecp256k1zkp_v0_5_0_gej_double_var(&base, &base, NULL); - rustsecp256k1zkp_v0_5_0_gej_add_var(&base, &base, &tmp, NULL); + rustsecp256k1zkp_v0_6_0_gej tmp; + rustsecp256k1zkp_v0_6_0_gej_double_var(&tmp, &base, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&base, &tmp, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&base, &base, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&base, &base, &tmp, NULL); } npub = 0; for (i = 0; i < rings; i++) { for (j = 1; j < rsizes[i]; j++) { - rustsecp256k1zkp_v0_5_0_gej_add_var(&pubs[npub + j], &pubs[npub + j - 1], &base, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&pubs[npub + j], &pubs[npub + j - 1], &base, NULL); } if (i < rings - 1) { - rustsecp256k1zkp_v0_5_0_gej_double_var(&base, &base, NULL); - rustsecp256k1zkp_v0_5_0_gej_double_var(&base, &base, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&base, &base, NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&base, &base, NULL); } npub += rsizes[i]; } } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(unsigned char* data, const rustsecp256k1zkp_v0_5_0_ge *point) { - rustsecp256k1zkp_v0_5_0_fe pointx; +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(unsigned char* data, const rustsecp256k1zkp_v0_6_0_ge *point) { + rustsecp256k1zkp_v0_6_0_fe pointx; pointx = point->x; - rustsecp256k1zkp_v0_5_0_fe_normalize(&pointx); - data[0] = !rustsecp256k1zkp_v0_5_0_fe_is_quad_var(&point->y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(data + 1, &pointx); + rustsecp256k1zkp_v0_6_0_fe_normalize(&pointx); + data[0] = !rustsecp256k1zkp_v0_6_0_fe_is_quad_var(&point->y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(data + 1, &pointx); } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_genrand(rustsecp256k1zkp_v0_5_0_scalar *sec, rustsecp256k1zkp_v0_5_0_scalar *s, unsigned char *message, - size_t *rsizes, size_t rings, const unsigned char *nonce, const rustsecp256k1zkp_v0_5_0_ge *commit, const unsigned char *proof, size_t len, const rustsecp256k1zkp_v0_5_0_ge* genp) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_rangeproof_genrand(rustsecp256k1zkp_v0_6_0_scalar *sec, rustsecp256k1zkp_v0_6_0_scalar *s, unsigned char *message, + size_t *rsizes, size_t rings, const unsigned char *nonce, const rustsecp256k1zkp_v0_6_0_ge *commit, const unsigned char *proof, size_t len, const rustsecp256k1zkp_v0_6_0_ge* genp) { unsigned char tmp[32]; unsigned char rngseed[32 + 33 + 33 + 10]; - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 rng; - rustsecp256k1zkp_v0_5_0_scalar acc; + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 rng; + rustsecp256k1zkp_v0_6_0_scalar acc; int overflow; int ret; size_t i; @@ -73,45 +73,45 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_genrand(rustsecp2 size_t npub; VERIFY_CHECK(len <= 10); memcpy(rngseed, nonce, 32); - rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(rngseed + 32, commit); - rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(rngseed + 32 + 33, genp); + rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(rngseed + 32, commit); + rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(rngseed + 32 + 33, genp); memcpy(rngseed + 33 + 33 + 32, proof, len); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, rngseed, 32 + 33 + 33 + len); - rustsecp256k1zkp_v0_5_0_scalar_clear(&acc); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, rngseed, 32 + 33 + 33 + len); + rustsecp256k1zkp_v0_6_0_scalar_clear(&acc); npub = 0; ret = 1; for (i = 0; i < rings; i++) { if (i < rings - 1) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, tmp, 32); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, tmp, 32); do { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, tmp, 32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sec[i], tmp, &overflow); - } while (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&sec[i])); - rustsecp256k1zkp_v0_5_0_scalar_add(&acc, &acc, &sec[i]); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, tmp, 32); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sec[i], tmp, &overflow); + } while (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&sec[i])); + rustsecp256k1zkp_v0_6_0_scalar_add(&acc, &acc, &sec[i]); } else { - rustsecp256k1zkp_v0_5_0_scalar_negate(&acc, &acc); + rustsecp256k1zkp_v0_6_0_scalar_negate(&acc, &acc); sec[i] = acc; } for (j = 0; j < rsizes[i]; j++) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, tmp, 32); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, tmp, 32); if (message) { for (b = 0; b < 32; b++) { tmp[b] ^= message[(i * 4 + j) * 32 + b]; message[(i * 4 + j) * 32 + b] = tmp[b]; } } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s[npub], tmp, &overflow); - ret &= !(overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s[npub])); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s[npub], tmp, &overflow); + ret &= !(overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s[npub])); npub++; } } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(&rng); - rustsecp256k1zkp_v0_5_0_scalar_clear(&acc); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1zkp_v0_6_0_scalar_clear(&acc); memset(tmp, 0, 32); return ret; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_range_proveparams(uint64_t *v, size_t *rings, size_t *rsizes, size_t *npub, size_t *secidx, uint64_t *min_value, +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_range_proveparams(uint64_t *v, size_t *rings, size_t *rsizes, size_t *npub, size_t *secidx, uint64_t *min_value, int *mantissa, uint64_t *scale, int *exp, int *min_bits, uint64_t value) { size_t i; *rings = 1; @@ -131,7 +131,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_range_proveparams(uint64_t * /* If either value or min_value is >= 2^63-1 then the other must by zero to avoid overflowing the proven range. */ return 0; } - max_bits = *min_value ? rustsecp256k1zkp_v0_5_0_clz64_var(*min_value) : 64; + max_bits = *min_value ? rustsecp256k1zkp_v0_6_0_clz64_var(*min_value) : 64; if (*min_bits > max_bits) { *min_bits = max_bits; } @@ -160,7 +160,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_range_proveparams(uint64_t * /* If the masked number isn't precise, compute the public offset. */ *min_value = value - v2; /* How many bits do we need to represent our value? */ - *mantissa = *v ? 64 - rustsecp256k1zkp_v0_5_0_clz64_var(*v) : 1; + *mantissa = *v ? 64 - rustsecp256k1zkp_v0_6_0_clz64_var(*v) : 1; if (*min_bits > *mantissa) { /* If the user asked for more precision, give it to them. */ *mantissa = *min_bits; @@ -189,17 +189,17 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_range_proveparams(uint64_t * } /* strawman interface, writes proof in proof, a buffer of plen, proves with respect to min_value the range for commit which has the provided blinding factor and value. */ -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, - const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ecmult_gen_ctx, +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_rangeproof_sign_impl(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, + const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ecmult_gen_ctx, unsigned char *proof, size_t *plen, uint64_t min_value, - const rustsecp256k1zkp_v0_5_0_ge *commit, const unsigned char *blind, const unsigned char *nonce, int exp, int min_bits, uint64_t value, - const unsigned char *message, size_t msg_len, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_5_0_ge* genp){ - rustsecp256k1zkp_v0_5_0_gej pubs[128]; /* Candidate digits for our proof, most inferred. */ - rustsecp256k1zkp_v0_5_0_scalar s[128]; /* Signatures in our proof, most forged. */ - rustsecp256k1zkp_v0_5_0_scalar sec[32]; /* Blinding factors for the correct digits. */ - rustsecp256k1zkp_v0_5_0_scalar k[32]; /* Nonces for our non-forged signatures. */ - rustsecp256k1zkp_v0_5_0_scalar stmp; - rustsecp256k1zkp_v0_5_0_sha256 sha256_m; + const rustsecp256k1zkp_v0_6_0_ge *commit, const unsigned char *blind, const unsigned char *nonce, int exp, int min_bits, uint64_t value, + const unsigned char *message, size_t msg_len, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_6_0_ge* genp){ + rustsecp256k1zkp_v0_6_0_gej pubs[128]; /* Candidate digits for our proof, most inferred. */ + rustsecp256k1zkp_v0_6_0_scalar s[128]; /* Signatures in our proof, most forged. */ + rustsecp256k1zkp_v0_6_0_scalar sec[32]; /* Blinding factors for the correct digits. */ + rustsecp256k1zkp_v0_6_0_scalar k[32]; /* Nonces for our non-forged signatures. */ + rustsecp256k1zkp_v0_6_0_scalar stmp; + rustsecp256k1zkp_v0_6_0_sha256 sha256_m; unsigned char prep[4096]; unsigned char tmp[33]; unsigned char *signs; /* Location of sign flags in the proof. */ @@ -217,7 +217,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(const r if (*plen < 65 || min_value > value || min_bits > 64 || min_bits < 0 || exp < -1 || exp > 18) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_range_proveparams(&v, &rings, rsizes, &npub, secidx, &min_value, &mantissa, &scale, &exp, &min_bits, value)) { + if (!rustsecp256k1zkp_v0_6_0_range_proveparams(&v, &rings, rsizes, &npub, secidx, &min_value, &mantissa, &scale, &exp, &min_bits, value)) { return 0; } proof[len] = (rsizes[0] > 1 ? (64 | exp) : 0) | (min_value ? 32 : 0); @@ -244,12 +244,12 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(const r if (*plen - len < 32 * (npub + rings - 1) + 32 + ((rings+6) >> 3)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_m); - rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(tmp, commit); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, tmp, 33); - rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(tmp, genp); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, tmp, 33); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, proof, len); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_m); + rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(tmp, commit); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, tmp, 33); + rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(tmp, genp); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, tmp, 33); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, proof, len); memset(prep, 0, 4096); if (message != NULL) { @@ -268,14 +268,14 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(const r } prep[idx] = 128; } - if (!rustsecp256k1zkp_v0_5_0_rangeproof_genrand(sec, s, prep, rsizes, rings, nonce, commit, proof, len, genp)) { + if (!rustsecp256k1zkp_v0_6_0_rangeproof_genrand(sec, s, prep, rsizes, rings, nonce, commit, proof, len, genp)) { return 0; } memset(prep, 0, 4096); for (i = 0; i < rings; i++) { /* Sign will overwrite the non-forged signature, move that random value into the nonce. */ k[i] = s[i * 4 + secidx[i]]; - rustsecp256k1zkp_v0_5_0_scalar_clear(&s[i * 4 + secidx[i]]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&s[i * 4 + secidx[i]]); } /** Genrand returns the last blinding factor as -sum(rest), * adding in the blinding factor for our commitment, results in the blinding factor for @@ -283,9 +283,9 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(const r * all the digits in the proof from the commitment. This lets the prover skip sending the * blinded value for one digit. */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&stmp, blind, &overflow); - rustsecp256k1zkp_v0_5_0_scalar_add(&sec[rings - 1], &sec[rings - 1], &stmp); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&sec[rings - 1])) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&stmp, blind, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_add(&sec[rings - 1], &sec[rings - 1], &stmp); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&sec[rings - 1])) { return 0; } signs = &proof[len]; @@ -297,37 +297,37 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(const r npub = 0; for (i = 0; i < rings; i++) { /*OPT: Use the precomputed gen2 basis?*/ - rustsecp256k1zkp_v0_5_0_pedersen_ecmult(ecmult_gen_ctx, &pubs[npub], &sec[i], ((uint64_t)secidx[i] * scale) << (i*2), genp); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&pubs[npub])) { + rustsecp256k1zkp_v0_6_0_pedersen_ecmult(ecmult_gen_ctx, &pubs[npub], &sec[i], ((uint64_t)secidx[i] * scale) << (i*2), genp); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&pubs[npub])) { return 0; } if (i < rings - 1) { unsigned char tmpc[33]; - rustsecp256k1zkp_v0_5_0_ge c; + rustsecp256k1zkp_v0_6_0_ge c; unsigned char quadness; /*OPT: split loop and batch invert.*/ /*OPT: do not compute full pubs[npub] in ge form; we only need x */ - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&c, &pubs[npub]); - rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(tmpc, &c); + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&c, &pubs[npub]); + rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(tmpc, &c); quadness = tmpc[0]; - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, tmpc, 33); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, tmpc, 33); signs[i>>3] |= quadness << (i&7); memcpy(&proof[len], tmpc + 1, 32); len += 32; } npub += rsizes[i]; } - rustsecp256k1zkp_v0_5_0_rangeproof_pub_expand(pubs, exp, rsizes, rings, genp); + rustsecp256k1zkp_v0_6_0_rangeproof_pub_expand(pubs, exp, rsizes, rings, genp); if (extra_commit != NULL) { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, extra_commit, extra_commit_len); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, extra_commit, extra_commit_len); } - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_m, tmp); - if (!rustsecp256k1zkp_v0_5_0_borromean_sign(ecmult_ctx, ecmult_gen_ctx, &proof[len], s, pubs, k, sec, rsizes, secidx, rings, tmp, 32)) { + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_m, tmp); + if (!rustsecp256k1zkp_v0_6_0_borromean_sign(ecmult_ctx, ecmult_gen_ctx, &proof[len], s, pubs, k, sec, rsizes, secidx, rings, tmp, 32)) { return 0; } len += 32; for (i = 0; i < npub; i++) { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&proof[len],&s[i]); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&proof[len],&s[i]); len += 32; } VERIFY_CHECK(len <= *plen); @@ -337,36 +337,36 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_sign_impl(const r } /* Computes blinding factor x given k, s, and the challenge e. */ -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_rangeproof_recover_x(rustsecp256k1zkp_v0_5_0_scalar *x, const rustsecp256k1zkp_v0_5_0_scalar *k, const rustsecp256k1zkp_v0_5_0_scalar *e, - const rustsecp256k1zkp_v0_5_0_scalar *s) { - rustsecp256k1zkp_v0_5_0_scalar stmp; - rustsecp256k1zkp_v0_5_0_scalar_negate(x, s); - rustsecp256k1zkp_v0_5_0_scalar_add(x, x, k); - rustsecp256k1zkp_v0_5_0_scalar_inverse(&stmp, e); - rustsecp256k1zkp_v0_5_0_scalar_mul(x, x, &stmp); +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_rangeproof_recover_x(rustsecp256k1zkp_v0_6_0_scalar *x, const rustsecp256k1zkp_v0_6_0_scalar *k, const rustsecp256k1zkp_v0_6_0_scalar *e, + const rustsecp256k1zkp_v0_6_0_scalar *s) { + rustsecp256k1zkp_v0_6_0_scalar stmp; + rustsecp256k1zkp_v0_6_0_scalar_negate(x, s); + rustsecp256k1zkp_v0_6_0_scalar_add(x, x, k); + rustsecp256k1zkp_v0_6_0_scalar_inverse(&stmp, e); + rustsecp256k1zkp_v0_6_0_scalar_mul(x, x, &stmp); } /* Computes ring's nonce given the blinding factor x, the challenge e, and the signature s. */ -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_rangeproof_recover_k(rustsecp256k1zkp_v0_5_0_scalar *k, const rustsecp256k1zkp_v0_5_0_scalar *x, const rustsecp256k1zkp_v0_5_0_scalar *e, - const rustsecp256k1zkp_v0_5_0_scalar *s) { - rustsecp256k1zkp_v0_5_0_scalar stmp; - rustsecp256k1zkp_v0_5_0_scalar_mul(&stmp, x, e); - rustsecp256k1zkp_v0_5_0_scalar_add(k, s, &stmp); +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_rangeproof_recover_k(rustsecp256k1zkp_v0_6_0_scalar *k, const rustsecp256k1zkp_v0_6_0_scalar *x, const rustsecp256k1zkp_v0_6_0_scalar *e, + const rustsecp256k1zkp_v0_6_0_scalar *s) { + rustsecp256k1zkp_v0_6_0_scalar stmp; + rustsecp256k1zkp_v0_6_0_scalar_mul(&stmp, x, e); + rustsecp256k1zkp_v0_6_0_scalar_add(k, s, &stmp); } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_rangeproof_ch32xor(unsigned char *x, const unsigned char *y) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_rangeproof_ch32xor(unsigned char *x, const unsigned char *y) { int i; for (i = 0; i < 32; i++) { x[i] ^= y[i]; } } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_rewind_inner(rustsecp256k1zkp_v0_5_0_scalar *blind, uint64_t *v, - unsigned char *m, size_t *mlen, rustsecp256k1zkp_v0_5_0_scalar *ev, rustsecp256k1zkp_v0_5_0_scalar *s, - size_t *rsizes, size_t rings, const unsigned char *nonce, const rustsecp256k1zkp_v0_5_0_ge *commit, const unsigned char *proof, size_t len, const rustsecp256k1zkp_v0_5_0_ge *genp) { - rustsecp256k1zkp_v0_5_0_scalar s_orig[128]; - rustsecp256k1zkp_v0_5_0_scalar sec[32]; - rustsecp256k1zkp_v0_5_0_scalar stmp; +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_rangeproof_rewind_inner(rustsecp256k1zkp_v0_6_0_scalar *blind, uint64_t *v, + unsigned char *m, size_t *mlen, rustsecp256k1zkp_v0_6_0_scalar *ev, rustsecp256k1zkp_v0_6_0_scalar *s, + size_t *rsizes, size_t rings, const unsigned char *nonce, const rustsecp256k1zkp_v0_6_0_ge *commit, const unsigned char *proof, size_t len, const rustsecp256k1zkp_v0_6_0_ge *genp) { + rustsecp256k1zkp_v0_6_0_scalar s_orig[128]; + rustsecp256k1zkp_v0_6_0_scalar sec[32]; + rustsecp256k1zkp_v0_6_0_scalar stmp; unsigned char prep[4096]; unsigned char tmp[32]; uint64_t value; @@ -382,12 +382,12 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_rewind_inner(rust VERIFY_CHECK(npub >= 1); memset(prep, 0, 4096); /* Reconstruct the provers random values. */ - rustsecp256k1zkp_v0_5_0_rangeproof_genrand(sec, s_orig, prep, rsizes, rings, nonce, commit, proof, len, genp); + rustsecp256k1zkp_v0_6_0_rangeproof_genrand(sec, s_orig, prep, rsizes, rings, nonce, commit, proof, len, genp); *v = UINT64_MAX; - rustsecp256k1zkp_v0_5_0_scalar_clear(blind); + rustsecp256k1zkp_v0_6_0_scalar_clear(blind); if (rings == 1 && rsizes[0] == 1) { /* With only a single proof, we can only recover the blinding factor. */ - rustsecp256k1zkp_v0_5_0_rangeproof_recover_x(blind, &s_orig[0], &ev[0], &s[0]); + rustsecp256k1zkp_v0_6_0_rangeproof_recover_x(blind, &s_orig[0], &ev[0], &s[0]); if (v) { *v = 0; } @@ -401,8 +401,8 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_rewind_inner(rust size_t idx; /* Look for a value encoding in the last ring. */ idx = npub + rsizes[rings - 1] - 1 - j; - rustsecp256k1zkp_v0_5_0_scalar_get_b32(tmp, &s[idx]); - rustsecp256k1zkp_v0_5_0_rangeproof_ch32xor(tmp, &prep[idx * 32]); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(tmp, &s[idx]); + rustsecp256k1zkp_v0_6_0_rangeproof_ch32xor(tmp, &prep[idx * 32]); if ((tmp[0] & 128) && (memcmp(&tmp[16], &tmp[24], 8) == 0) && (memcmp(&tmp[8], &tmp[16], 8) == 0)) { value = 0; for (i = 0; i < 8; i++) { @@ -434,9 +434,9 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_rewind_inner(rust skip1 += (rings - 1) << 2; skip2 += (rings - 1) << 2; /* Like in the rsize[] == 1 case, Having figured out which s is the one which was not forged, we can recover the blinding factor. */ - rustsecp256k1zkp_v0_5_0_rangeproof_recover_x(&stmp, &s_orig[skip2], &ev[skip2], &s[skip2]); - rustsecp256k1zkp_v0_5_0_scalar_negate(&sec[rings - 1], &sec[rings - 1]); - rustsecp256k1zkp_v0_5_0_scalar_add(blind, &stmp, &sec[rings - 1]); + rustsecp256k1zkp_v0_6_0_rangeproof_recover_x(&stmp, &s_orig[skip2], &ev[skip2], &s[skip2]); + rustsecp256k1zkp_v0_6_0_scalar_negate(&sec[rings - 1], &sec[rings - 1]); + rustsecp256k1zkp_v0_6_0_scalar_add(blind, &stmp, &sec[rings - 1]); if (!m || !mlen || *mlen == 0) { if (mlen) { *mlen = 0; @@ -459,12 +459,12 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_rewind_inner(rust * this could just as well recover the blinding factors and messages could be put there as is done for recovering the * blinding factor in the last ring, but it takes an inversion to recover x so it's faster to put the message data in k. */ - rustsecp256k1zkp_v0_5_0_rangeproof_recover_k(&stmp, &sec[i], &ev[npub], &s[npub]); + rustsecp256k1zkp_v0_6_0_rangeproof_recover_k(&stmp, &sec[i], &ev[npub], &s[npub]); } else { stmp = s[npub]; } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(tmp, &stmp); - rustsecp256k1zkp_v0_5_0_rangeproof_ch32xor(tmp, &prep[npub * 32]); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(tmp, &stmp); + rustsecp256k1zkp_v0_6_0_rangeproof_ch32xor(tmp, &prep[npub * 32]); for (b = 0; b < 32 && offset < *mlen; b++) { m[offset] = tmp[b]; offset++; @@ -475,16 +475,16 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_rewind_inner(rust *mlen = offset; memset(prep, 0, 4096); for (i = 0; i < 128; i++) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&s_orig[i]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&s_orig[i]); } for (i = 0; i < 32; i++) { - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec[i]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec[i]); } - rustsecp256k1zkp_v0_5_0_scalar_clear(&stmp); + rustsecp256k1zkp_v0_6_0_scalar_clear(&stmp); return 1; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_getheader_impl(size_t *offset, int *exp, int *mantissa, uint64_t *scale, +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_rangeproof_getheader_impl(size_t *offset, int *exp, int *mantissa, uint64_t *scale, uint64_t *min_value, uint64_t *max_value, const unsigned char *proof, size_t plen) { int i; int has_nz_range; @@ -538,16 +538,16 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_getheader_impl(si } /* Verifies range proof (len plen) for commit, the min/max values proven are put in the min/max arguments; returns 0 on failure 1 on success.*/ -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, - const rustsecp256k1zkp_v0_5_0_ecmult_gen_context* ecmult_gen_ctx, +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_rangeproof_verify_impl(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, + const rustsecp256k1zkp_v0_6_0_ecmult_gen_context* ecmult_gen_ctx, unsigned char *blindout, uint64_t *value_out, unsigned char *message_out, size_t *outlen, const unsigned char *nonce, - uint64_t *min_value, uint64_t *max_value, const rustsecp256k1zkp_v0_5_0_ge *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_5_0_ge* genp) { - rustsecp256k1zkp_v0_5_0_gej accj; - rustsecp256k1zkp_v0_5_0_gej pubs[128]; - rustsecp256k1zkp_v0_5_0_ge c; - rustsecp256k1zkp_v0_5_0_scalar s[128]; - rustsecp256k1zkp_v0_5_0_scalar evalues[128]; /* Challenges, only used during proof rewind. */ - rustsecp256k1zkp_v0_5_0_sha256 sha256_m; + uint64_t *min_value, uint64_t *max_value, const rustsecp256k1zkp_v0_6_0_ge *commit, const unsigned char *proof, size_t plen, const unsigned char *extra_commit, size_t extra_commit_len, const rustsecp256k1zkp_v0_6_0_ge* genp) { + rustsecp256k1zkp_v0_6_0_gej accj; + rustsecp256k1zkp_v0_6_0_gej pubs[128]; + rustsecp256k1zkp_v0_6_0_ge c; + rustsecp256k1zkp_v0_6_0_scalar s[128]; + rustsecp256k1zkp_v0_6_0_scalar evalues[128]; /* Challenges, only used during proof rewind. */ + rustsecp256k1zkp_v0_6_0_sha256 sha256_m; size_t rsizes[32]; int ret; size_t i; @@ -563,7 +563,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(const unsigned char m[33]; const unsigned char *e0; offset = 0; - if (!rustsecp256k1zkp_v0_5_0_rangeproof_getheader_impl(&offset, &exp, &mantissa, &scale, min_value, max_value, proof, plen)) { + if (!rustsecp256k1zkp_v0_6_0_rangeproof_getheader_impl(&offset, &exp, &mantissa, &scale, min_value, max_value, proof, plen)) { return 0; } offset_post_header = offset; @@ -586,12 +586,12 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(const if (plen - offset < 32 * (npub + rings - 1) + 32 + ((rings+6) >> 3)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_m); - rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(m, commit); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, m, 33); - rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point(m, genp); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, m, 33); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, proof, offset); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_m); + rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(m, commit); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, m, 33); + rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point(m, genp); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, m, 33); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, proof, offset); for(i = 0; i < rings - 1; i++) { signs[i] = (proof[offset + ( i>> 3)] & (1 << (i & 7))) != 0; } @@ -603,39 +603,39 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(const } } npub = 0; - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&accj); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&accj); if (*min_value) { - rustsecp256k1zkp_v0_5_0_pedersen_ecmult_small(&accj, *min_value, genp); + rustsecp256k1zkp_v0_6_0_pedersen_ecmult_small(&accj, *min_value, genp); } for(i = 0; i < rings - 1; i++) { - rustsecp256k1zkp_v0_5_0_fe fe; - if (!rustsecp256k1zkp_v0_5_0_fe_set_b32(&fe, &proof[offset]) || - !rustsecp256k1zkp_v0_5_0_ge_set_xquad(&c, &fe)) { + rustsecp256k1zkp_v0_6_0_fe fe; + if (!rustsecp256k1zkp_v0_6_0_fe_set_b32(&fe, &proof[offset]) || + !rustsecp256k1zkp_v0_6_0_ge_set_xquad(&c, &fe)) { return 0; } if (signs[i]) { - rustsecp256k1zkp_v0_5_0_ge_neg(&c, &c); + rustsecp256k1zkp_v0_6_0_ge_neg(&c, &c); } - /* Not using rustsecp256k1zkp_v0_5_0_rangeproof_serialize_point as we almost have it + /* Not using rustsecp256k1zkp_v0_6_0_rangeproof_serialize_point as we almost have it * serialized form already. */ - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, &signs[i], 1); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, &proof[offset], 32); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pubs[npub], &c); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&accj, &accj, &c, NULL); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, &signs[i], 1); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, &proof[offset], 32); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pubs[npub], &c); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&accj, &accj, &c, NULL); offset += 32; npub += rsizes[i]; } - rustsecp256k1zkp_v0_5_0_gej_neg(&accj, &accj); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&pubs[npub], &accj, commit, NULL); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&pubs[npub])) { + rustsecp256k1zkp_v0_6_0_gej_neg(&accj, &accj); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&pubs[npub], &accj, commit, NULL); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&pubs[npub])) { return 0; } - rustsecp256k1zkp_v0_5_0_rangeproof_pub_expand(pubs, exp, rsizes, rings, genp); + rustsecp256k1zkp_v0_6_0_rangeproof_pub_expand(pubs, exp, rsizes, rings, genp); npub += rsizes[rings - 1]; e0 = &proof[offset]; offset += 32; for (i = 0; i < npub; i++) { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s[i], &proof[offset], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s[i], &proof[offset], &overflow); if (overflow) { return 0; } @@ -646,34 +646,34 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_rangeproof_verify_impl(const return 0; } if (extra_commit != NULL) { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_m, extra_commit, extra_commit_len); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_m, extra_commit, extra_commit_len); } - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_m, m); - ret = rustsecp256k1zkp_v0_5_0_borromean_verify(ecmult_ctx, nonce ? evalues : NULL, e0, s, pubs, rsizes, rings, m, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_m, m); + ret = rustsecp256k1zkp_v0_6_0_borromean_verify(ecmult_ctx, nonce ? evalues : NULL, e0, s, pubs, rsizes, rings, m, 32); if (ret && nonce) { /* Given the nonce, try rewinding the witness to recover its initial state. */ - rustsecp256k1zkp_v0_5_0_scalar blind; + rustsecp256k1zkp_v0_6_0_scalar blind; uint64_t vv; if (!ecmult_gen_ctx) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_rangeproof_rewind_inner(&blind, &vv, message_out, outlen, evalues, s, rsizes, rings, nonce, commit, proof, offset_post_header, genp)) { + if (!rustsecp256k1zkp_v0_6_0_rangeproof_rewind_inner(&blind, &vv, message_out, outlen, evalues, s, rsizes, rings, nonce, commit, proof, offset_post_header, genp)) { return 0; } /* Unwind apparently successful, see if the commitment can be reconstructed. */ /* FIXME: should check vv is in the mantissa's range. */ vv = (vv * scale) + *min_value; - rustsecp256k1zkp_v0_5_0_pedersen_ecmult(ecmult_gen_ctx, &accj, &blind, vv, genp); - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&accj)) { + rustsecp256k1zkp_v0_6_0_pedersen_ecmult(ecmult_gen_ctx, &accj, &blind, vv, genp); + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&accj)) { return 0; } - rustsecp256k1zkp_v0_5_0_gej_neg(&accj, &accj); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&accj, &accj, commit, NULL); - if (!rustsecp256k1zkp_v0_5_0_gej_is_infinity(&accj)) { + rustsecp256k1zkp_v0_6_0_gej_neg(&accj, &accj); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&accj, &accj, commit, NULL); + if (!rustsecp256k1zkp_v0_6_0_gej_is_infinity(&accj)) { return 0; } if (blindout) { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(blindout, &blind); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(blindout, &blind); } if (value_out) { *value_out = vv; diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/tests_impl.h index 3ebbdccb..85e10dfa 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/rangeproof/tests_impl.h @@ -16,72 +16,72 @@ #include "include/secp256k1_rangeproof.h" -static void test_pedersen_api(const rustsecp256k1zkp_v0_5_0_context *none, const rustsecp256k1zkp_v0_5_0_context *sign, const rustsecp256k1zkp_v0_5_0_context *vrfy, const int32_t *ecount) { - rustsecp256k1zkp_v0_5_0_pedersen_commitment commit; - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit_ptr = &commit; +static void test_pedersen_api(const rustsecp256k1zkp_v0_6_0_context *none, const rustsecp256k1zkp_v0_6_0_context *sign, const rustsecp256k1zkp_v0_6_0_context *vrfy, const int32_t *ecount) { + rustsecp256k1zkp_v0_6_0_pedersen_commitment commit; + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit_ptr = &commit; unsigned char blind[32]; unsigned char blind_out[32]; const unsigned char *blind_ptr = blind; unsigned char *blind_out_ptr = blind_out; - uint64_t val = rustsecp256k1zkp_v0_5_0_testrand32(); + uint64_t val = rustsecp256k1zkp_v0_6_0_testrand32(); - rustsecp256k1zkp_v0_5_0_testrand256(blind); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(none, &commit, blind, val, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + rustsecp256k1zkp_v0_6_0_testrand256(blind); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(none, &commit, blind, val, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(vrfy, &commit, blind, val, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(vrfy, &commit, blind, val, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(sign, &commit, blind, val, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(sign, &commit, blind, val, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(sign, NULL, blind, val, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(sign, NULL, blind, val, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(sign, &commit, NULL, val, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(sign, &commit, NULL, val, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(sign, &commit, blind, val, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(sign, &commit, blind, val, NULL) == 0); CHECK(*ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(none, blind_out, &blind_ptr, 1, 1) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_sum(none, blind_out, &blind_ptr, 1, 1) != 0); CHECK(*ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(none, NULL, &blind_ptr, 1, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_sum(none, NULL, &blind_ptr, 1, 1) == 0); CHECK(*ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(none, blind_out, NULL, 1, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_sum(none, blind_out, NULL, 1, 1) == 0); CHECK(*ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(none, blind_out, &blind_ptr, 0, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_sum(none, blind_out, &blind_ptr, 0, 1) == 0); CHECK(*ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(none, blind_out, &blind_ptr, 0, 0) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_sum(none, blind_out, &blind_ptr, 0, 0) != 0); CHECK(*ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(sign, &commit, blind, val, rustsecp256k1zkp_v0_5_0_generator_h) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(none, &commit_ptr, 1, &commit_ptr, 1) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(none, NULL, 0, &commit_ptr, 1) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(none, &commit_ptr, 1, NULL, 0) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(none, NULL, 0, NULL, 0) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(sign, &commit, blind, val, rustsecp256k1zkp_v0_6_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(none, &commit_ptr, 1, &commit_ptr, 1) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(none, NULL, 0, &commit_ptr, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(none, &commit_ptr, 1, NULL, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(none, NULL, 0, NULL, 0) != 0); CHECK(*ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(none, NULL, 1, &commit_ptr, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(none, NULL, 1, &commit_ptr, 1) == 0); CHECK(*ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(none, &commit_ptr, 1, NULL, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(none, &commit_ptr, 1, NULL, 1) == 0); CHECK(*ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 1, 0) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 1, 0) != 0); CHECK(*ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0); CHECK(*ecount == 11); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0); CHECK(*ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(none, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(none, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0); CHECK(*ecount == 13); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(none, &val, NULL, &blind_out_ptr, 1, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(none, &val, NULL, &blind_out_ptr, 1, 0) == 0); CHECK(*ecount == 14); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, NULL, 1, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(none, &val, &blind_ptr, NULL, 1, 0) == 0); CHECK(*ecount == 15); } -static void test_rangeproof_api(const rustsecp256k1zkp_v0_5_0_context *none, const rustsecp256k1zkp_v0_5_0_context *sign, const rustsecp256k1zkp_v0_5_0_context *vrfy, const rustsecp256k1zkp_v0_5_0_context *both, const int32_t *ecount) { +static void test_rangeproof_api(const rustsecp256k1zkp_v0_6_0_context *none, const rustsecp256k1zkp_v0_6_0_context *sign, const rustsecp256k1zkp_v0_6_0_context *vrfy, const rustsecp256k1zkp_v0_6_0_context *both, const int32_t *ecount) { unsigned char proof[5134]; unsigned char blind[32]; - rustsecp256k1zkp_v0_5_0_pedersen_commitment commit; - uint64_t vmin = rustsecp256k1zkp_v0_5_0_testrand32(); - uint64_t val = vmin + rustsecp256k1zkp_v0_5_0_testrand32(); + rustsecp256k1zkp_v0_6_0_pedersen_commitment commit; + uint64_t vmin = rustsecp256k1zkp_v0_6_0_testrand32(); + uint64_t val = vmin + rustsecp256k1zkp_v0_6_0_testrand32(); size_t len = sizeof(proof); /* we'll switch to dylan thomas for this one */ const unsigned char message[68] = "My tears are like the quiet drift / Of petals from some magic rose;"; @@ -89,92 +89,92 @@ static void test_rangeproof_api(const rustsecp256k1zkp_v0_5_0_context *none, con const unsigned char ext_commit[72] = "And all my grief flows from the rift / Of unremembered skies and snows."; size_t ext_commit_len = sizeof(ext_commit); - rustsecp256k1zkp_v0_5_0_testrand256(blind); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commit, blind, val, rustsecp256k1zkp_v0_5_0_generator_h)); + rustsecp256k1zkp_v0_6_0_testrand256(blind); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commit, blind, val, rustsecp256k1zkp_v0_6_0_generator_h)); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(none, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(none, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(sign, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(sign, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(vrfy, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(vrfy, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, NULL, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, NULL, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, NULL, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, NULL, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, NULL, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, NULL, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, NULL, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, NULL, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, NULL, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, NULL, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, vmin - 1, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, vmin - 1, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, NULL) == 0); CHECK(*ecount == 11); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(both, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); { int exp; int mantissa; uint64_t min_value; uint64_t max_value; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_info(none, &exp, &mantissa, &min_value, &max_value, proof, len) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_info(none, &exp, &mantissa, &min_value, &max_value, proof, len) != 0); CHECK(exp == 0); CHECK(((uint64_t) 1 << mantissa) > val - vmin); CHECK(((uint64_t) 1 << (mantissa - 1)) <= val - vmin); CHECK(min_value == vmin); CHECK(max_value >= val); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_info(none, NULL, &mantissa, &min_value, &max_value, proof, len) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_info(none, NULL, &mantissa, &min_value, &max_value, proof, len) == 0); CHECK(*ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_info(none, &exp, NULL, &min_value, &max_value, proof, len) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_info(none, &exp, NULL, &min_value, &max_value, proof, len) == 0); CHECK(*ecount == 13); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_info(none, &exp, &mantissa, NULL, &max_value, proof, len) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_info(none, &exp, &mantissa, NULL, &max_value, proof, len) == 0); CHECK(*ecount == 14); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_info(none, &exp, &mantissa, &min_value, NULL, proof, len) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_info(none, &exp, &mantissa, &min_value, NULL, proof, len) == 0); CHECK(*ecount == 15); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_info(none, &exp, &mantissa, &min_value, &max_value, NULL, len) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_info(none, &exp, &mantissa, &min_value, &max_value, NULL, len) == 0); CHECK(*ecount == 16); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_info(none, &exp, &mantissa, &min_value, &max_value, proof, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_info(none, &exp, &mantissa, &min_value, &max_value, proof, 0) == 0); CHECK(*ecount == 16); } { uint64_t min_value; uint64_t max_value; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(none, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(none, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 17); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(sign, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(sign, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 18); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 18); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 19); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 20); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 21); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 22); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 22); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 23); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 23); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(vrfy, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); CHECK(*ecount == 24); } { @@ -185,13 +185,13 @@ static void test_rangeproof_api(const rustsecp256k1zkp_v0_5_0_context *none, con uint64_t max_value; size_t message_len = sizeof(message_out); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(none, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(none, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 25); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(sign, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(sign, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 26); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(vrfy, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(vrfy, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 27); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 27); CHECK(min_value == vmin); @@ -200,51 +200,51 @@ static void test_rangeproof_api(const rustsecp256k1zkp_v0_5_0_context *none, con CHECK(message_len == sizeof(message_out)); CHECK(memcmp(message, message_out, sizeof(message_out)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, NULL, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, NULL, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 27); /* blindout may be NULL */ - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, NULL, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, NULL, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 27); /* valueout may be NULL */ - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 28); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) != 0); CHECK(*ecount == 28); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, NULL, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, NULL, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 29); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 30); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 31); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 32); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 33); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 33); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 34); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h) == 0); CHECK(*ecount == 34); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(both, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); CHECK(*ecount == 35); } } static void test_api(void) { - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_context *both = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *both = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); int32_t ecount; int i; - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); for (i = 0; i < count; i++) { ecount = 0; @@ -253,26 +253,26 @@ static void test_api(void) { test_rangeproof_api(none, sign, vrfy, both, &ecount); } - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_destroy(both); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(both); } static void test_pedersen(void) { - rustsecp256k1zkp_v0_5_0_pedersen_commitment commits[19]; - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *cptr[19]; + rustsecp256k1zkp_v0_6_0_pedersen_commitment commits[19]; + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *cptr[19]; unsigned char blinds[32*19]; const unsigned char *bptr[19]; - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar s; uint64_t values[19]; int64_t totalv; int i; int inputs; int outputs; int total; - inputs = (rustsecp256k1zkp_v0_5_0_testrand32() & 7) + 1; - outputs = (rustsecp256k1zkp_v0_5_0_testrand32() & 7) + 2; + inputs = (rustsecp256k1zkp_v0_6_0_testrand32() & 7) + 1; + outputs = (rustsecp256k1zkp_v0_6_0_testrand32() & 7) + 2; total = inputs + outputs; for (i = 0; i < 19; i++) { cptr[i] = &commits[i]; @@ -280,50 +280,50 @@ static void test_pedersen(void) { } totalv = 0; for (i = 0; i < inputs; i++) { - values[i] = rustsecp256k1zkp_v0_5_0_testrandi64(0, INT64_MAX - totalv); + values[i] = rustsecp256k1zkp_v0_6_0_testrandi64(0, INT64_MAX - totalv); totalv += values[i]; } for (i = 0; i < outputs - 1; i++) { - values[i + inputs] = rustsecp256k1zkp_v0_5_0_testrandi64(0, totalv); + values[i + inputs] = rustsecp256k1zkp_v0_6_0_testrandi64(0, totalv); totalv -= values[i + inputs]; } values[total - 1] = totalv; for (i = 0; i < total - 1; i++) { random_scalar_order(&s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&blinds[i * 32], &s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&blinds[i * 32], &s); } - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_sum(ctx, &blinds[(total - 1) * 32], bptr, total - 1, inputs)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_sum(ctx, &blinds[(total - 1) * 32], bptr, total - 1, inputs)); for (i = 0; i < total; i++) { - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], rustsecp256k1zkp_v0_6_0_generator_h)); } - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(ctx, cptr, inputs, &cptr[inputs], outputs)); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(ctx, &cptr[inputs], outputs, cptr, inputs)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(ctx, cptr, inputs, &cptr[inputs], outputs)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(ctx, &cptr[inputs], outputs, cptr, inputs)); if (inputs > 0 && values[0] > 0) { - CHECK(!rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(ctx, cptr, inputs - 1, &cptr[inputs], outputs)); + CHECK(!rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(ctx, cptr, inputs - 1, &cptr[inputs], outputs)); } random_scalar_order(&s); for (i = 0; i < 4; i++) { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&blinds[i * 32], &s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&blinds[i * 32], &s); } values[0] = INT64_MAX; values[1] = 0; values[2] = 1; for (i = 0; i < 3; i++) { - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], rustsecp256k1zkp_v0_6_0_generator_h)); } - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(ctx, &cptr[0], 1, &cptr[0], 1)); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(ctx, &cptr[1], 1, &cptr[1], 1)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(ctx, &cptr[0], 1, &cptr[0], 1)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(ctx, &cptr[1], 1, &cptr[1], 1)); } static void test_borromean(void) { unsigned char e0[32]; - rustsecp256k1zkp_v0_5_0_scalar s[64]; - rustsecp256k1zkp_v0_5_0_gej pubs[64]; - rustsecp256k1zkp_v0_5_0_scalar k[8]; - rustsecp256k1zkp_v0_5_0_scalar sec[8]; - rustsecp256k1zkp_v0_5_0_ge ge; - rustsecp256k1zkp_v0_5_0_scalar one; + rustsecp256k1zkp_v0_6_0_scalar s[64]; + rustsecp256k1zkp_v0_6_0_gej pubs[64]; + rustsecp256k1zkp_v0_6_0_scalar k[8]; + rustsecp256k1zkp_v0_6_0_scalar sec[8]; + rustsecp256k1zkp_v0_6_0_ge ge; + rustsecp256k1zkp_v0_6_0_scalar one; unsigned char m[32]; size_t rsizes[8]; size_t secidx[8]; @@ -331,31 +331,31 @@ static void test_borromean(void) { size_t i; size_t j; int c; - rustsecp256k1zkp_v0_5_0_testrand256_test(m); - nrings = 1 + (rustsecp256k1zkp_v0_5_0_testrand32()&7); + rustsecp256k1zkp_v0_6_0_testrand256_test(m); + nrings = 1 + (rustsecp256k1zkp_v0_6_0_testrand32()&7); c = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&one, 1); - if (rustsecp256k1zkp_v0_5_0_testrand32()&1) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&one, &one); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&one, 1); + if (rustsecp256k1zkp_v0_6_0_testrand32()&1) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&one, &one); } for (i = 0; i < nrings; i++) { - rsizes[i] = 1 + (rustsecp256k1zkp_v0_5_0_testrand32()&7); - secidx[i] = rustsecp256k1zkp_v0_5_0_testrand32() % rsizes[i]; + rsizes[i] = 1 + (rustsecp256k1zkp_v0_6_0_testrand32()&7); + secidx[i] = rustsecp256k1zkp_v0_6_0_testrand32() % rsizes[i]; random_scalar_order(&sec[i]); random_scalar_order(&k[i]); - if(rustsecp256k1zkp_v0_5_0_testrand32()&7) { + if(rustsecp256k1zkp_v0_6_0_testrand32()&7) { sec[i] = one; } - if(rustsecp256k1zkp_v0_5_0_testrand32()&7) { + if(rustsecp256k1zkp_v0_6_0_testrand32()&7) { k[i] = one; } for (j = 0; j < rsizes[i]; j++) { random_scalar_order(&s[c + j]); - if(rustsecp256k1zkp_v0_5_0_testrand32()&7) { + if(rustsecp256k1zkp_v0_6_0_testrand32()&7) { s[i] = one; } if (j == secidx[i]) { - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubs[c + j], &sec[i]); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubs[c + j], &sec[i]); } else { random_group_element_test(&ge); random_group_element_jacobian_test(&pubs[c + j],&ge); @@ -363,28 +363,28 @@ static void test_borromean(void) { } c += rsizes[i]; } - CHECK(rustsecp256k1zkp_v0_5_0_borromean_sign(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, e0, s, pubs, k, sec, rsizes, secidx, nrings, m, 32)); - CHECK(rustsecp256k1zkp_v0_5_0_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32)); - i = rustsecp256k1zkp_v0_5_0_testrand32() % c; - rustsecp256k1zkp_v0_5_0_scalar_negate(&s[i],&s[i]); - CHECK(!rustsecp256k1zkp_v0_5_0_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32)); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s[i],&s[i]); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&one, 1); + CHECK(rustsecp256k1zkp_v0_6_0_borromean_sign(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, e0, s, pubs, k, sec, rsizes, secidx, nrings, m, 32)); + CHECK(rustsecp256k1zkp_v0_6_0_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32)); + i = rustsecp256k1zkp_v0_6_0_testrand32() % c; + rustsecp256k1zkp_v0_6_0_scalar_negate(&s[i],&s[i]); + CHECK(!rustsecp256k1zkp_v0_6_0_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32)); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s[i],&s[i]); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&one, 1); for(j = 0; j < 4; j++) { - i = rustsecp256k1zkp_v0_5_0_testrand32() % c; - if (rustsecp256k1zkp_v0_5_0_testrand32() & 1) { - rustsecp256k1zkp_v0_5_0_gej_double_var(&pubs[i],&pubs[i], NULL); + i = rustsecp256k1zkp_v0_6_0_testrand32() % c; + if (rustsecp256k1zkp_v0_6_0_testrand32() & 1) { + rustsecp256k1zkp_v0_6_0_gej_double_var(&pubs[i],&pubs[i], NULL); } else { - rustsecp256k1zkp_v0_5_0_scalar_add(&s[i],&s[i],&one); + rustsecp256k1zkp_v0_6_0_scalar_add(&s[i],&s[i],&one); } - CHECK(!rustsecp256k1zkp_v0_5_0_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32)); + CHECK(!rustsecp256k1zkp_v0_6_0_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32)); } } static void test_rangeproof(void) { const uint64_t testvs[11] = {0, 1, 5, 11, 65535, 65537, INT32_MAX, UINT32_MAX, INT64_MAX - 1, INT64_MAX, UINT64_MAX}; - rustsecp256k1zkp_v0_5_0_pedersen_commitment commit; - rustsecp256k1zkp_v0_5_0_pedersen_commitment commit2; + rustsecp256k1zkp_v0_6_0_pedersen_commitment commit; + rustsecp256k1zkp_v0_6_0_pedersen_commitment commit2; unsigned char proof[5134 + 1]; /* One additional byte to test if trailing bytes are rejected */ unsigned char blind[32]; unsigned char blindout[32]; @@ -408,10 +408,10 @@ static void test_rangeproof(void) { memcpy(&message_long[i], message_short, sizeof(message_short)); } - rustsecp256k1zkp_v0_5_0_testrand256(blind); + rustsecp256k1zkp_v0_6_0_testrand256(blind); for (i = 0; i < 11; i++) { v = testvs[i]; - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_6_0_generator_h)); for (vmin = 0; vmin < (i<9 && i > 0 ? 2 : 1); vmin++) { const unsigned char *input_message = NULL; size_t input_message_len = 0; @@ -427,10 +427,10 @@ static void test_rangeproof(void) { input_message_len = sizeof(message_long); } len = 5134; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, v, input_message, input_message_len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, v, input_message, input_message_len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(len <= 5134); mlen = 4096; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); if (input_message != NULL) { CHECK(memcmp(message, input_message, input_message_len) == 0); } @@ -443,9 +443,9 @@ static void test_rangeproof(void) { CHECK(minv <= v); CHECK(maxv >= v); len = 5134; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(len <= 73); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(memcmp(blindout, blind, 32) == 0); CHECK(vout == v); CHECK(minv == v); @@ -453,47 +453,47 @@ static void test_rangeproof(void) { /* Check with a committed message */ len = 5134; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, message_short, sizeof(message_short), rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, message_short, sizeof(message_short), rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(len <= 73); - CHECK(!rustsecp256k1zkp_v0_5_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); - CHECK(!rustsecp256k1zkp_v0_5_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_long, sizeof(message_long), rustsecp256k1zkp_v0_5_0_generator_h)); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(!rustsecp256k1zkp_v0_6_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); + CHECK(!rustsecp256k1zkp_v0_6_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_long, sizeof(message_long), rustsecp256k1zkp_v0_6_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(memcmp(blindout, blind, 32) == 0); CHECK(vout == v); CHECK(minv == v); CHECK(maxv == v); } } - rustsecp256k1zkp_v0_5_0_testrand256(blind); + rustsecp256k1zkp_v0_6_0_testrand256(blind); v = INT64_MAX - 1; - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_6_0_generator_h)); for (i = 0; i < 19; i++) { len = 5134; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(len <= 5134); CHECK(minv <= v); CHECK(maxv >= v); /* Make sure it fails when validating with a committed message */ - CHECK(!rustsecp256k1zkp_v0_5_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(!rustsecp256k1zkp_v0_6_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), rustsecp256k1zkp_v0_6_0_generator_h)); } - rustsecp256k1zkp_v0_5_0_testrand256(blind); + rustsecp256k1zkp_v0_6_0_testrand256(blind); { /*Malleability test.*/ - v = rustsecp256k1zkp_v0_5_0_testrandi64(0, 255); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_5_0_generator_h)); + v = rustsecp256k1zkp_v0_6_0_testrandi64(0, 255); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_6_0_generator_h)); len = 5134; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(len <= 5134); /* Test if trailing bytes are rejected. */ proof[len] = v; - CHECK(!rustsecp256k1zkp_v0_5_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len + 1, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(!rustsecp256k1zkp_v0_6_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len + 1, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); for (i = 0; i < len*8; i++) { proof[i >> 3] ^= 1 << (i & 7); - CHECK(!rustsecp256k1zkp_v0_5_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(!rustsecp256k1zkp_v0_6_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); proof[i >> 3] ^= 1 << (i & 7); } - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(minv <= v); CHECK(maxv >= v); } @@ -501,26 +501,26 @@ static void test_rangeproof(void) { for (i = 0; i < (size_t) count; i++) { int exp; int min_bits; - v = rustsecp256k1zkp_v0_5_0_testrandi64(0, UINT64_MAX >> (rustsecp256k1zkp_v0_5_0_testrand32()&63)); + v = rustsecp256k1zkp_v0_6_0_testrandi64(0, UINT64_MAX >> (rustsecp256k1zkp_v0_6_0_testrand32()&63)); vmin = 0; - if ((v < INT64_MAX) && (rustsecp256k1zkp_v0_5_0_testrand32()&1)) { - vmin = rustsecp256k1zkp_v0_5_0_testrandi64(0, v); + if ((v < INT64_MAX) && (rustsecp256k1zkp_v0_6_0_testrand32()&1)) { + vmin = rustsecp256k1zkp_v0_6_0_testrandi64(0, v); } - rustsecp256k1zkp_v0_5_0_testrand256(blind); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_5_0_generator_h)); + rustsecp256k1zkp_v0_6_0_testrand256(blind); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commit, blind, v, rustsecp256k1zkp_v0_6_0_generator_h)); len = 5134; - exp = (int)rustsecp256k1zkp_v0_5_0_testrandi64(0,18)-(int)rustsecp256k1zkp_v0_5_0_testrandi64(0,18); + exp = (int)rustsecp256k1zkp_v0_6_0_testrandi64(0,18)-(int)rustsecp256k1zkp_v0_6_0_testrandi64(0,18); if (exp < 0) { exp = -exp; } - min_bits = (int)rustsecp256k1zkp_v0_5_0_testrandi64(0,64)-(int)rustsecp256k1zkp_v0_5_0_testrandi64(0,64); + min_bits = (int)rustsecp256k1zkp_v0_6_0_testrandi64(0,64)-(int)rustsecp256k1zkp_v0_6_0_testrandi64(0,64); if (min_bits < 0) { min_bits = -min_bits; } - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, exp, min_bits, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, exp, min_bits, v, NULL, 0, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); CHECK(len <= 5134); mlen = 4096; - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); for (j = 0; j < mlen; j++) { CHECK(message[j] == 0); } @@ -529,52 +529,52 @@ static void test_rangeproof(void) { CHECK(minv <= v); CHECK(maxv >= v); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); memcpy(&commit2, &commit, sizeof(commit)); } for (j = 0; j < 3; j++) { for (i = 0; i < 96; i++) { - rustsecp256k1zkp_v0_5_0_testrand256(&proof[i * 32]); + rustsecp256k1zkp_v0_6_0_testrand256(&proof[i * 32]); } for (k = 0; k < 128; k += 3) { len = k; - CHECK(!rustsecp256k1zkp_v0_5_0_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + CHECK(!rustsecp256k1zkp_v0_6_0_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); } - len = rustsecp256k1zkp_v0_5_0_testrandi64(0, 3072); - CHECK(!rustsecp256k1zkp_v0_5_0_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, rustsecp256k1zkp_v0_5_0_generator_h)); + len = rustsecp256k1zkp_v0_6_0_testrandi64(0, 3072); + CHECK(!rustsecp256k1zkp_v0_6_0_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, rustsecp256k1zkp_v0_6_0_generator_h)); } } #define MAX_N_GENS 30 void test_multiple_generators(void) { - const size_t n_inputs = (rustsecp256k1zkp_v0_5_0_testrand32() % (MAX_N_GENS / 2)) + 1; - const size_t n_outputs = (rustsecp256k1zkp_v0_5_0_testrand32() % (MAX_N_GENS / 2)) + 1; + const size_t n_inputs = (rustsecp256k1zkp_v0_6_0_testrand32() % (MAX_N_GENS / 2)) + 1; + const size_t n_outputs = (rustsecp256k1zkp_v0_6_0_testrand32() % (MAX_N_GENS / 2)) + 1; const size_t n_generators = n_inputs + n_outputs; unsigned char *generator_blind[MAX_N_GENS]; unsigned char *pedersen_blind[MAX_N_GENS]; - rustsecp256k1zkp_v0_5_0_generator generator[MAX_N_GENS]; - rustsecp256k1zkp_v0_5_0_pedersen_commitment commit[MAX_N_GENS]; - const rustsecp256k1zkp_v0_5_0_pedersen_commitment *commit_ptr[MAX_N_GENS]; + rustsecp256k1zkp_v0_6_0_generator generator[MAX_N_GENS]; + rustsecp256k1zkp_v0_6_0_pedersen_commitment commit[MAX_N_GENS]; + const rustsecp256k1zkp_v0_6_0_pedersen_commitment *commit_ptr[MAX_N_GENS]; size_t i; int64_t total_value; uint64_t value[MAX_N_GENS]; - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar s; unsigned char generator_seed[32]; random_scalar_order(&s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(generator_seed, &s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(generator_seed, &s); /* Create all the needed generators */ for (i = 0; i < n_generators; i++) { generator_blind[i] = (unsigned char*) malloc(32); pedersen_blind[i] = (unsigned char*) malloc(32); random_scalar_order(&s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(generator_blind[i], &s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(generator_blind[i], &s); random_scalar_order(&s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(pedersen_blind[i], &s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(pedersen_blind[i], &s); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &generator[i], generator_seed, generator_blind[i])); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &generator[i], generator_seed, generator_blind[i])); commit_ptr[i] = &commit[i]; } @@ -582,23 +582,23 @@ void test_multiple_generators(void) { /* Compute all the values -- can be positive or negative */ total_value = 0; for (i = 0; i < n_outputs; i++) { - value[n_inputs + i] = rustsecp256k1zkp_v0_5_0_testrandi64(0, INT64_MAX - total_value); + value[n_inputs + i] = rustsecp256k1zkp_v0_6_0_testrandi64(0, INT64_MAX - total_value); total_value += value[n_inputs + i]; } for (i = 0; i < n_inputs - 1; i++) { - value[i] = rustsecp256k1zkp_v0_5_0_testrandi64(0, total_value); + value[i] = rustsecp256k1zkp_v0_6_0_testrandi64(0, total_value); total_value -= value[i]; } value[i] = total_value; /* Correct for blinding factors and do the commitments */ - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum(ctx, value, (const unsigned char * const *) generator_blind, pedersen_blind, n_generators, n_inputs)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum(ctx, value, (const unsigned char * const *) generator_blind, pedersen_blind, n_generators, n_inputs)); for (i = 0; i < n_generators; i++) { - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commit(ctx, &commit[i], pedersen_blind[i], value[i], &generator[i])); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commit(ctx, &commit[i], pedersen_blind[i], value[i], &generator[i])); } /* Verify */ - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_verify_tally(ctx, &commit_ptr[0], n_inputs, &commit_ptr[n_inputs], n_outputs)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_verify_tally(ctx, &commit_ptr[0], n_inputs, &commit_ptr[n_inputs], n_outputs)); /* Cleanup */ for (i = 0; i < n_generators; i++) { @@ -658,17 +658,17 @@ void test_rangeproof_fixed_vectors(void) { }; uint64_t min_value_1; uint64_t max_value_1; - rustsecp256k1zkp_v0_5_0_pedersen_commitment pc; + rustsecp256k1zkp_v0_6_0_pedersen_commitment pc; - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse(ctx, &pc, commit_1)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse(ctx, &pc, commit_1)); - CHECK(rustsecp256k1zkp_v0_5_0_rangeproof_verify( + CHECK(rustsecp256k1zkp_v0_6_0_rangeproof_verify( ctx, &min_value_1, &max_value_1, &pc, vector_1, sizeof(vector_1), NULL, 0, - rustsecp256k1zkp_v0_5_0_generator_h + rustsecp256k1zkp_v0_6_0_generator_h )); } @@ -679,16 +679,16 @@ void test_pedersen_commitment_fixed_vector(void) { 0x5c, 0x77, 0x8e, 0x4b, 0x8c, 0xef, 0x3c, 0xa7, 0xab, 0xac, 0x09, 0xb9, 0x5c, 0x70, 0x9e, 0xe5 }; unsigned char result[33]; - rustsecp256k1zkp_v0_5_0_pedersen_commitment parse; + rustsecp256k1zkp_v0_6_0_pedersen_commitment parse; - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse(ctx, &parse, two_g)); - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commitment_serialize(ctx, result, &parse)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse(ctx, &parse, two_g)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commitment_serialize(ctx, result, &parse)); CHECK(memcmp(two_g, result, 33) == 0); result[0] = 0x08; - CHECK(rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse(ctx, &parse, result)); + CHECK(rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse(ctx, &parse, result)); result[0] = 0x0c; - CHECK(!rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse(ctx, &parse, result)); + CHECK(!rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse(ctx, &parse, result)); } void run_rangeproof_tests(void) { diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include index d3f715d9..a1cbb931 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_recovery.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_recovery.h noinst_HEADERS += src/modules/recovery/main_impl.h noinst_HEADERS += src/modules/recovery/tests_impl.h noinst_HEADERS += src/modules/recovery/tests_exhaustive_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/main_impl.h index 408b799c..994032d2 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/main_impl.h @@ -7,36 +7,36 @@ #ifndef SECP256K1_MODULE_RECOVERY_MAIN_H #define SECP256K1_MODULE_RECOVERY_MAIN_H -#include "include/secp256k1_recovery.h" +#include "../../../include/secp256k1_recovery.h" -static void rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar* r, rustsecp256k1zkp_v0_5_0_scalar* s, int* recid, const rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sig) { +static void rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar* r, rustsecp256k1zkp_v0_6_0_scalar* s, int* recid, const rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sig) { (void)ctx; - if (sizeof(rustsecp256k1zkp_v0_5_0_scalar) == 32) { - /* When the rustsecp256k1zkp_v0_5_0_scalar type is exactly 32 byte, use its - * representation inside rustsecp256k1zkp_v0_5_0_ecdsa_signature, as conversion is very fast. - * Note that rustsecp256k1zkp_v0_5_0_ecdsa_signature_save must use the same representation. */ + if (sizeof(rustsecp256k1zkp_v0_6_0_scalar) == 32) { + /* When the rustsecp256k1zkp_v0_6_0_scalar type is exactly 32 byte, use its + * representation inside rustsecp256k1zkp_v0_6_0_ecdsa_signature, as conversion is very fast. + * Note that rustsecp256k1zkp_v0_6_0_ecdsa_signature_save must use the same representation. */ memcpy(r, &sig->data[0], 32); memcpy(s, &sig->data[32], 32); } else { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, &sig->data[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(s, &sig->data[32], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(r, &sig->data[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(s, &sig->data[32], NULL); } *recid = sig->data[64]; } -static void rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_save(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sig, const rustsecp256k1zkp_v0_5_0_scalar* r, const rustsecp256k1zkp_v0_5_0_scalar* s, int recid) { - if (sizeof(rustsecp256k1zkp_v0_5_0_scalar) == 32) { +static void rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_save(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sig, const rustsecp256k1zkp_v0_6_0_scalar* r, const rustsecp256k1zkp_v0_6_0_scalar* s, int recid) { + if (sizeof(rustsecp256k1zkp_v0_6_0_scalar) == 32) { memcpy(&sig->data[0], r, 32); memcpy(&sig->data[32], s, 32); } else { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig->data[0], r); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig->data[32], s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig->data[0], r); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig->data[32], s); } sig->data[64] = recid; } -int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret = 1; int overflow = 0; @@ -45,111 +45,111 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(const rust ARG_CHECK(input64 != NULL); ARG_CHECK(recid >= 0 && recid <= 3); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&r, &input64[0], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&r, &input64[0], &overflow); ret &= !overflow; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, &input64[32], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, &input64[32], &overflow); ret &= !overflow; if (ret) { - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_save(sig, &r, &s, recid); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_save(sig, &r, &s, recid); } else { memset(sig, 0, sizeof(*sig)); } return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output64, int *recid, const rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sig) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output64, int *recid, const rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sig) { + rustsecp256k1zkp_v0_6_0_scalar r, s; (void)ctx; ARG_CHECK(output64 != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(recid != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&output64[0], &r); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&output64[32], &s); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&output64[0], &r); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&output64[32], &s); return 1; } -int rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature* sigin) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature* sigin) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int recid; (void)ctx; ARG_CHECK(sig != NULL); ARG_CHECK(sigin != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sig, &r, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sig, &r, &s); return 1; } -static int rustsecp256k1zkp_v0_5_0_ecdsa_sig_recover(const rustsecp256k1zkp_v0_5_0_ecmult_context *ctx, const rustsecp256k1zkp_v0_5_0_scalar *sigr, const rustsecp256k1zkp_v0_5_0_scalar* sigs, rustsecp256k1zkp_v0_5_0_ge *pubkey, const rustsecp256k1zkp_v0_5_0_scalar *message, int recid) { +static int rustsecp256k1zkp_v0_6_0_ecdsa_sig_recover(const rustsecp256k1zkp_v0_6_0_ecmult_context *ctx, const rustsecp256k1zkp_v0_6_0_scalar *sigr, const rustsecp256k1zkp_v0_6_0_scalar* sigs, rustsecp256k1zkp_v0_6_0_ge *pubkey, const rustsecp256k1zkp_v0_6_0_scalar *message, int recid) { unsigned char brx[32]; - rustsecp256k1zkp_v0_5_0_fe fx; - rustsecp256k1zkp_v0_5_0_ge x; - rustsecp256k1zkp_v0_5_0_gej xj; - rustsecp256k1zkp_v0_5_0_scalar rn, u1, u2; - rustsecp256k1zkp_v0_5_0_gej qj; + rustsecp256k1zkp_v0_6_0_fe fx; + rustsecp256k1zkp_v0_6_0_ge x; + rustsecp256k1zkp_v0_6_0_gej xj; + rustsecp256k1zkp_v0_6_0_scalar rn, u1, u2; + rustsecp256k1zkp_v0_6_0_gej qj; int r; - if (rustsecp256k1zkp_v0_5_0_scalar_is_zero(sigr) || rustsecp256k1zkp_v0_5_0_scalar_is_zero(sigs)) { + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(sigr) || rustsecp256k1zkp_v0_6_0_scalar_is_zero(sigs)) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(brx, sigr); - r = rustsecp256k1zkp_v0_5_0_fe_set_b32(&fx, brx); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(brx, sigr); + r = rustsecp256k1zkp_v0_6_0_fe_set_b32(&fx, brx); (void)r; VERIFY_CHECK(r); /* brx comes from a scalar, so is less than the order; certainly less than p */ if (recid & 2) { - if (rustsecp256k1zkp_v0_5_0_fe_cmp_var(&fx, &rustsecp256k1zkp_v0_5_0_ecdsa_const_p_minus_order) >= 0) { + if (rustsecp256k1zkp_v0_6_0_fe_cmp_var(&fx, &rustsecp256k1zkp_v0_6_0_ecdsa_const_p_minus_order) >= 0) { return 0; } - rustsecp256k1zkp_v0_5_0_fe_add(&fx, &rustsecp256k1zkp_v0_5_0_ecdsa_const_order_as_fe); + rustsecp256k1zkp_v0_6_0_fe_add(&fx, &rustsecp256k1zkp_v0_6_0_ecdsa_const_order_as_fe); } - if (!rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&x, &fx, recid & 1)) { + if (!rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&x, &fx, recid & 1)) { return 0; } - rustsecp256k1zkp_v0_5_0_gej_set_ge(&xj, &x); - rustsecp256k1zkp_v0_5_0_scalar_inverse_var(&rn, sigr); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u1, &rn, message); - rustsecp256k1zkp_v0_5_0_scalar_negate(&u1, &u1); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u2, &rn, sigs); - rustsecp256k1zkp_v0_5_0_ecmult(ctx, &qj, &xj, &u2, &u1); - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(pubkey, &qj); - return !rustsecp256k1zkp_v0_5_0_gej_is_infinity(&qj); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&xj, &x); + rustsecp256k1zkp_v0_6_0_scalar_inverse_var(&rn, sigr); + rustsecp256k1zkp_v0_6_0_scalar_mul(&u1, &rn, message); + rustsecp256k1zkp_v0_6_0_scalar_negate(&u1, &u1); + rustsecp256k1zkp_v0_6_0_scalar_mul(&u2, &rn, sigs); + rustsecp256k1zkp_v0_6_0_ecmult(ctx, &qj, &xj, &u2, &u1); + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(pubkey, &qj); + return !rustsecp256k1zkp_v0_6_0_gej_is_infinity(&qj); } -int rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, rustsecp256k1zkp_v0_5_0_nonce_function noncefp, const void* noncedata) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void* noncedata) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret, recid; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(msghash32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(ctx, &r, &s, &recid, NULL, NULL, NULL, msghash32, seckey, noncefp, noncedata); - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_save(signature, &r, &s, recid); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sign_inner(ctx, &r, &s, &recid, NULL, NULL, NULL, msghash32, seckey, noncefp, noncedata); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_save(signature, &r, &s, recid); return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_recover(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature *signature, const unsigned char *msghash32) { - rustsecp256k1zkp_v0_5_0_ge q; - rustsecp256k1zkp_v0_5_0_scalar r, s; - rustsecp256k1zkp_v0_5_0_scalar m; +int rustsecp256k1zkp_v0_6_0_ecdsa_recover(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature *signature, const unsigned char *msghash32) { + rustsecp256k1zkp_v0_6_0_ge q; + rustsecp256k1zkp_v0_6_0_scalar r, s; + rustsecp256k1zkp_v0_6_0_scalar m; int recid; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(msghash32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(pubkey != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature); VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&m, msghash32, NULL); - if (rustsecp256k1zkp_v0_5_0_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) { - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &q); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&m, msghash32, NULL); + if (rustsecp256k1zkp_v0_6_0_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) { + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &q); return 1; } else { memset(pubkey, 0, sizeof(*pubkey)); diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_exhaustive_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_exhaustive_impl.h index 6d6eb301..c20e9c77 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_exhaustive_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_exhaustive_impl.h @@ -8,9 +8,9 @@ #define SECP256K1_MODULE_RECOVERY_EXHAUSTIVE_TESTS_H #include "src/modules/recovery/main_impl.h" -#include "include/secp256k1_recovery.h" +#include "../../../include/secp256k1_recovery.h" -void test_exhaustive_recovery_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge *group) { +void test_exhaustive_recovery_sign(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge *group) { int i, j, k; uint64_t iter = 0; @@ -20,23 +20,23 @@ void test_exhaustive_recovery_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, c if (skip_section(&iter)) continue; for (k = 1; k < EXHAUSTIVE_TEST_ORDER; k++) { /* nonce */ const int starting_k = k; - rustsecp256k1zkp_v0_5_0_fe r_dot_y_normalized; - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature rsig; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; - rustsecp256k1zkp_v0_5_0_scalar sk, msg, r, s, expected_r; + rustsecp256k1zkp_v0_6_0_fe r_dot_y_normalized; + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature rsig; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_scalar sk, msg, r, s, expected_r; unsigned char sk32[32], msg32[32]; int expected_recid; int recid; int overflow; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg, i); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sk, j); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(sk32, &sk); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(msg32, &msg); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg, i); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sk, j); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(sk32, &sk); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(msg32, &msg); - rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(ctx, &rsig, msg32, sk32, rustsecp256k1zkp_v0_5_0_nonce_function_smallint, &k); + rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(ctx, &rsig, msg32, sk32, rustsecp256k1zkp_v0_6_0_nonce_function_smallint, &k); /* Check directly */ - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, &rsig); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, &rsig); r_from_k(&expected_r, group, k, &overflow); CHECK(r == expected_r); CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER || @@ -50,18 +50,18 @@ void test_exhaustive_recovery_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, c * in the real group. */ expected_recid = overflow ? 2 : 0; r_dot_y_normalized = group[k].y; - rustsecp256k1zkp_v0_5_0_fe_normalize(&r_dot_y_normalized); + rustsecp256k1zkp_v0_6_0_fe_normalize(&r_dot_y_normalized); /* Also the recovery id is flipped depending if we hit the low-s branch */ if ((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER) { - expected_recid |= rustsecp256k1zkp_v0_5_0_fe_is_odd(&r_dot_y_normalized); + expected_recid |= rustsecp256k1zkp_v0_6_0_fe_is_odd(&r_dot_y_normalized); } else { - expected_recid |= !rustsecp256k1zkp_v0_5_0_fe_is_odd(&r_dot_y_normalized); + expected_recid |= !rustsecp256k1zkp_v0_6_0_fe_is_odd(&r_dot_y_normalized); } CHECK(recid == expected_recid); /* Convert to a standard sig then check */ - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, &sig); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, &sig); /* Note that we compute expected_r *after* signing -- this is important * because our nonce-computing function function might change k during * signing. */ @@ -79,7 +79,7 @@ void test_exhaustive_recovery_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, c } } -void test_exhaustive_recovery_verify(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge *group) { +void test_exhaustive_recovery_verify(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge *group) { /* This is essentially a copy of test_exhaustive_verify, with recovery added */ int s, r, msg, key; uint64_t iter = 0; @@ -87,41 +87,41 @@ void test_exhaustive_recovery_verify(const rustsecp256k1zkp_v0_5_0_context *ctx, for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) { for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) { for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) { - rustsecp256k1zkp_v0_5_0_ge nonconst_ge; - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature rsig; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; - rustsecp256k1zkp_v0_5_0_pubkey pk; - rustsecp256k1zkp_v0_5_0_scalar sk_s, msg_s, r_s, s_s; - rustsecp256k1zkp_v0_5_0_scalar s_times_k_s, msg_plus_r_times_sk_s; + rustsecp256k1zkp_v0_6_0_ge nonconst_ge; + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature rsig; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey pk; + rustsecp256k1zkp_v0_6_0_scalar sk_s, msg_s, r_s, s_s; + rustsecp256k1zkp_v0_6_0_scalar s_times_k_s, msg_plus_r_times_sk_s; int recid = 0; int k, should_verify; unsigned char msg32[32]; if (skip_section(&iter)) continue; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s_s, s); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&r_s, r); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg_s, msg); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sk_s, key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(msg32, &msg_s); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s_s, s); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&r_s, r); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg_s, msg); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sk_s, key); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(msg32, &msg_s); /* Verify by hand */ /* Run through every k value that gives us this r and check that *one* works. * Note there could be none, there could be multiple, ECDSA is weird. */ should_verify = 0; for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) { - rustsecp256k1zkp_v0_5_0_scalar check_x_s; + rustsecp256k1zkp_v0_6_0_scalar check_x_s; r_from_k(&check_x_s, group, k, NULL); if (r_s == check_x_s) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s_times_k_s, k); - rustsecp256k1zkp_v0_5_0_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); - rustsecp256k1zkp_v0_5_0_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); - rustsecp256k1zkp_v0_5_0_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); - should_verify |= rustsecp256k1zkp_v0_5_0_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s_times_k_s, k); + rustsecp256k1zkp_v0_6_0_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); + rustsecp256k1zkp_v0_6_0_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); + should_verify |= rustsecp256k1zkp_v0_6_0_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); } } /* nb we have a "high s" rule */ - should_verify &= !rustsecp256k1zkp_v0_5_0_scalar_is_high(&s_s); + should_verify &= !rustsecp256k1zkp_v0_6_0_scalar_is_high(&s_s); /* We would like to try recovering the pubkey and checking that it matches, * but pubkey recovery is impossible in the exhaustive tests (the reason @@ -129,19 +129,19 @@ void test_exhaustive_recovery_verify(const rustsecp256k1zkp_v0_5_0_context *ctx, * overlap between the sets, so there are no valid signatures). */ /* Verify by converting to a standard signature and calling verify */ - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_save(&rsig, &r_s, &s_s, recid); - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_save(&rsig, &r_s, &s_s, recid); + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge)); - rustsecp256k1zkp_v0_5_0_pubkey_save(&pk, &nonconst_ge); + rustsecp256k1zkp_v0_6_0_pubkey_save(&pk, &nonconst_ge); CHECK(should_verify == - rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pk)); + rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pk)); } } } } } -static void test_exhaustive_recovery(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge *group) { +static void test_exhaustive_recovery(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge *group) { test_exhaustive_recovery_sign(ctx, group); test_exhaustive_recovery_verify(ctx, group); } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_impl.h index 77c4f0b0..9a9b84eb 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/recovery/tests_impl.h @@ -25,19 +25,19 @@ static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned c } /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */ memset(nonce32, 1, 32); - return rustsecp256k1zkp_v0_5_0_testrand_bits(1); + return rustsecp256k1zkp_v0_6_0_testrand_bits(1); } void test_ecdsa_recovery_api(void) { /* Setup contexts that just count errors */ - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_context *both = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_pubkey recpubkey; - rustsecp256k1zkp_v0_5_0_ecdsa_signature normal_sig; - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature recsig; + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *both = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey recpubkey; + rustsecp256k1zkp_v0_6_0_ecdsa_signature normal_sig; + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature recsig; unsigned char privkey[32] = { 1 }; unsigned char message[32] = { 2 }; int32_t ecount = 0; @@ -49,160 +49,160 @@ void test_ecdsa_recovery_api(void) { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); /* Construct and verify corresponding public key. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, privkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); /* Check bad contexts and NULLs for signing */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0); CHECK(ecount == 5); /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */ - rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL); + rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL); CHECK(ecount == 5); /* These will all fail, but not in ARG_CHECK way */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0); /* This one will succeed. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); CHECK(ecount == 5); /* Check signing with a goofy nonce function */ /* Check bad contexts and NULLs for recovery */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(none, &recpubkey, &recsig, message) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(none, &recpubkey, &recsig, message) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(sign, &recpubkey, &recsig, message) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(sign, &recpubkey, &recsig, message) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(both, &recpubkey, &recsig, message) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(both, &recpubkey, &recsig, message) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(both, NULL, &recsig, message) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(both, NULL, &recsig, message) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(both, &recpubkey, NULL, message) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(both, &recpubkey, NULL, message) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0); CHECK(ecount == 5); /* Check NULLs for conversion */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1); /* Check NULLs for de/serialization */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0); CHECK(ecount == 7); /* overflow in signature will fail but not affect ecount */ memcpy(sig, over_privkey, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0); CHECK(ecount == 7); /* cleanup */ - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_destroy(both); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(both); } void test_ecdsa_recovery_end_to_end(void) { unsigned char extra[32] = {0x00}; unsigned char privkey[32]; unsigned char message[32]; - rustsecp256k1zkp_v0_5_0_ecdsa_signature signature[5]; - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature rsignature[5]; + rustsecp256k1zkp_v0_6_0_ecdsa_signature signature[5]; + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature rsignature[5]; unsigned char sig[74]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_pubkey recpubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey recpubkey; int recid = 0; /* Generate a random key and message. */ { - rustsecp256k1zkp_v0_5_0_scalar msg, key; + rustsecp256k1zkp_v0_6_0_scalar msg, key; random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(privkey, &key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(message, &msg); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(privkey, &key); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(message, &msg); } /* Construct and verify corresponding public key. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, privkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); /* Serialize/parse compact and verify/recover. */ extra[0] = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1); extra[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1); extra[31] = 0; extra[0] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[4], &signature[0], 64) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[4], &signature[0], 64) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); memset(&rsignature[4], 0, sizeof(rsignature[4])); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); /* Parse compact (with recovery id) and recover. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0); /* Serialize/destroy/parse signature and verify again. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); - sig[rustsecp256k1zkp_v0_5_0_testrand_bits(6)] += 1 + rustsecp256k1zkp_v0_5_0_testrand_int(255); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); + sig[rustsecp256k1zkp_v0_6_0_testrand_bits(6)] += 1 + rustsecp256k1zkp_v0_6_0_testrand_int(255); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0); /* Recover again */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 || - rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 || + rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0); } /* Tests several edge cases. */ @@ -225,7 +225,7 @@ void test_ecdsa_recovery_edge_cases(void) { 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86, 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57 }; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */ const unsigned char sigb64[64] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -237,19 +237,19 @@ void test_ecdsa_recovery_edge_cases(void) { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, }; - rustsecp256k1zkp_v0_5_0_pubkey pubkeyb; - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature rsig; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey pubkeyb; + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature rsig; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; int recid; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0)); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2)); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3)); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0)); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2)); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3)); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); for (recid = 0; recid < 4; recid++) { int i; @@ -294,40 +294,40 @@ void test_ecdsa_recovery_edge_cases(void) { 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04 }; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1); for (recid2 = 0; recid2 < 4; recid2++) { - rustsecp256k1zkp_v0_5_0_pubkey pubkey2b; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1); + rustsecp256k1zkp_v0_6_0_pubkey pubkey2b; + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1); /* Verifying with (order + r,4) should always fail. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); } /* DER parsing tests. */ /* Zero length r/s. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0); /* Leading zeros. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0); sigbderalt3[4] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); sigbderalt4[7] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); /* Damage signature. */ sigbder[7]++; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); sigbder[7]--; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0); for(i = 0; i < 8; i++) { int c; unsigned char orig = sigbder[i]; @@ -337,7 +337,7 @@ void test_ecdsa_recovery_edge_cases(void) { continue; } sigbder[i] = c; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); } sigbder[i] = orig; } @@ -357,25 +357,25 @@ void test_ecdsa_recovery_edge_cases(void) { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, }; - rustsecp256k1zkp_v0_5_0_pubkey pubkeyc; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1); + rustsecp256k1zkp_v0_6_0_pubkey pubkeyc; + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1); sigcder[4] = 0; sigc64[31] = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); sigcder[4] = 1; sigcder[7] = 0; sigc64[31] = 1; sigc64[63] = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); } } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/Makefile.am.include index 4751e878..01affbcf 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_schnorrsig.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_schnorrsig.h noinst_HEADERS += src/modules/schnorrsig/main_impl.h noinst_HEADERS += src/modules/schnorrsig/tests_impl.h noinst_HEADERS += src/modules/schnorrsig/tests_exhaustive_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/main_impl.h index 76170324..eba0cf78 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/main_impl.h @@ -7,14 +7,14 @@ #ifndef SECP256K1_MODULE_SCHNORRSIG_MAIN_H #define SECP256K1_MODULE_SCHNORRSIG_MAIN_H -#include "include/secp256k1.h" -#include "include/secp256k1_schnorrsig.h" -#include "hash.h" +#include "../../../include/secp256k1.h" +#include "../../../include/secp256k1_schnorrsig.h" +#include "../../hash.h" /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("BIP0340/nonce")||SHA256("BIP0340/nonce"). */ -static void rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0x46615b35ul; sha->s[1] = 0xf4bfbff7ul; sha->s[2] = 0x9f8dc671ul; @@ -29,8 +29,8 @@ static void rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged(rustsecp /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("BIP0340/aux")||SHA256("BIP0340/aux"). */ -static void rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged_aux(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged_aux(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0x24dd3219ul; sha->s[1] = 0x4eba7e70ul; sha->s[2] = 0xca0fabb9ul; @@ -48,7 +48,7 @@ static void rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged_aux(rust static const unsigned char bip340_algo16[16] = "BIP0340/nonce\0\0\0"; static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) { - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; unsigned char masked_key[32]; int i; @@ -57,9 +57,9 @@ static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *ms } if (data != NULL) { - rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged_aux(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, data, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, masked_key); + rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged_aux(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, data, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, masked_key); for (i = 0; i < 32; i++) { masked_key[i] ^= key32[i]; } @@ -68,35 +68,35 @@ static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *ms /* Tag the hash with algo16 which is important to avoid nonce reuse across * algorithms. If this nonce function is used in BIP-340 signing as defined * in the spec, an optimized tagging implementation is used. */ - if (rustsecp256k1zkp_v0_5_0_memcmp_var(algo16, bip340_algo16, 16) == 0) { - rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged(&sha); + if (rustsecp256k1zkp_v0_6_0_memcmp_var(algo16, bip340_algo16, 16) == 0) { + rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged(&sha); } else { int algo16_len = 16; /* Remove terminating null bytes */ while (algo16_len > 0 && !algo16[algo16_len - 1]) { algo16_len--; } - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, algo16, algo16_len); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, algo16, algo16_len); } /* Hash (masked-)key||pk||msg using the tagged hash as per the spec */ if (data != NULL) { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, masked_key, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, masked_key, 32); } else { - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, key32, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, key32, 32); } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, xonly_pk32, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, msg32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, nonce32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, xonly_pk32, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, msg32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, nonce32); return 1; } -const rustsecp256k1zkp_v0_5_0_nonce_function_hardened rustsecp256k1zkp_v0_5_0_nonce_function_bip340 = nonce_function_bip340; +const rustsecp256k1zkp_v0_6_0_nonce_function_hardened rustsecp256k1zkp_v0_6_0_nonce_function_bip340 = nonce_function_bip340; /* Initializes SHA256 with fixed midstate. This midstate was computed by applying * SHA256 to SHA256("BIP0340/challenge")||SHA256("BIP0340/challenge"). */ -static void rustsecp256k1zkp_v0_5_0_schnorrsig_sha256_tagged(rustsecp256k1zkp_v0_5_0_sha256 *sha) { - rustsecp256k1zkp_v0_5_0_sha256_initialize(sha); +static void rustsecp256k1zkp_v0_6_0_schnorrsig_sha256_tagged(rustsecp256k1zkp_v0_6_0_sha256 *sha) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(sha); sha->s[0] = 0x9cecba11ul; sha->s[1] = 0x23925381ul; sha->s[2] = 0x11679112ul; @@ -108,132 +108,132 @@ static void rustsecp256k1zkp_v0_5_0_schnorrsig_sha256_tagged(rustsecp256k1zkp_v0 sha->bytes = 64; } -static void rustsecp256k1zkp_v0_5_0_schnorrsig_challenge(rustsecp256k1zkp_v0_5_0_scalar* e, const unsigned char *r32, const unsigned char *msg32, const unsigned char *pubkey32) +static void rustsecp256k1zkp_v0_6_0_schnorrsig_challenge(rustsecp256k1zkp_v0_6_0_scalar* e, const unsigned char *r32, const unsigned char *msg32, const unsigned char *pubkey32) { unsigned char buf[32]; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; /* tagged hash(r.x, pk.x, msg32) */ - rustsecp256k1zkp_v0_5_0_schnorrsig_sha256_tagged(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, r32, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, pubkey32, 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, msg32, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, buf); + rustsecp256k1zkp_v0_6_0_schnorrsig_sha256_tagged(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, r32, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, pubkey32, 32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, msg32, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, buf); /* Set scalar e to the challenge hash modulo the curve order as per * BIP340. */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(e, buf, NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(e, buf, NULL); } -int rustsecp256k1zkp_v0_5_0_schnorrsig_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *sig64, const unsigned char *msg32, const rustsecp256k1zkp_v0_5_0_keypair *keypair, rustsecp256k1zkp_v0_5_0_nonce_function_hardened noncefp, void *ndata) { - rustsecp256k1zkp_v0_5_0_scalar sk; - rustsecp256k1zkp_v0_5_0_scalar e; - rustsecp256k1zkp_v0_5_0_scalar k; - rustsecp256k1zkp_v0_5_0_gej rj; - rustsecp256k1zkp_v0_5_0_ge pk; - rustsecp256k1zkp_v0_5_0_ge r; +int rustsecp256k1zkp_v0_6_0_schnorrsig_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *sig64, const unsigned char *msg32, const rustsecp256k1zkp_v0_6_0_keypair *keypair, rustsecp256k1zkp_v0_6_0_nonce_function_hardened noncefp, void *ndata) { + rustsecp256k1zkp_v0_6_0_scalar sk; + rustsecp256k1zkp_v0_6_0_scalar e; + rustsecp256k1zkp_v0_6_0_scalar k; + rustsecp256k1zkp_v0_6_0_gej rj; + rustsecp256k1zkp_v0_6_0_ge pk; + rustsecp256k1zkp_v0_6_0_ge r; unsigned char buf[32] = { 0 }; unsigned char pk_buf[32]; unsigned char seckey[32]; int ret = 1; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(sig64 != NULL); ARG_CHECK(msg32 != NULL); ARG_CHECK(keypair != NULL); if (noncefp == NULL) { - noncefp = rustsecp256k1zkp_v0_5_0_nonce_function_bip340; + noncefp = rustsecp256k1zkp_v0_6_0_nonce_function_bip340; } - ret &= rustsecp256k1zkp_v0_5_0_keypair_load(ctx, &sk, &pk, keypair); + ret &= rustsecp256k1zkp_v0_6_0_keypair_load(ctx, &sk, &pk, keypair); /* Because we are signing for a x-only pubkey, the secret key is negated * before signing if the point corresponding to the secret key does not * have an even Y. */ - if (rustsecp256k1zkp_v0_5_0_fe_is_odd(&pk.y)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&sk, &sk); + if (rustsecp256k1zkp_v0_6_0_fe_is_odd(&pk.y)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&sk, &sk); } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &sk); - rustsecp256k1zkp_v0_5_0_fe_get_b32(pk_buf, &pk.x); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &sk); + rustsecp256k1zkp_v0_6_0_fe_get_b32(pk_buf, &pk.x); ret &= !!noncefp(buf, msg32, seckey, pk_buf, bip340_algo16, ndata); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&k, buf, NULL); - ret &= !rustsecp256k1zkp_v0_5_0_scalar_is_zero(&k); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&k, &rustsecp256k1zkp_v0_5_0_scalar_one, !ret); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&k, buf, NULL); + ret &= !rustsecp256k1zkp_v0_6_0_scalar_is_zero(&k); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&k, &rustsecp256k1zkp_v0_6_0_scalar_one, !ret); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&r, &rj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&r, &rj); /* We declassify r to allow using it as a branch point. This is fine * because r is not a secret. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &r, sizeof(r)); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&r.y); - if (rustsecp256k1zkp_v0_5_0_fe_is_odd(&r.y)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&k, &k); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &r, sizeof(r)); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&r.y); + if (rustsecp256k1zkp_v0_6_0_fe_is_odd(&r.y)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&k, &k); } - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&r.x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(&sig64[0], &r.x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&r.x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(&sig64[0], &r.x); - rustsecp256k1zkp_v0_5_0_schnorrsig_challenge(&e, &sig64[0], msg32, pk_buf); - rustsecp256k1zkp_v0_5_0_scalar_mul(&e, &e, &sk); - rustsecp256k1zkp_v0_5_0_scalar_add(&e, &e, &k); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig64[32], &e); + rustsecp256k1zkp_v0_6_0_schnorrsig_challenge(&e, &sig64[0], msg32, pk_buf); + rustsecp256k1zkp_v0_6_0_scalar_mul(&e, &e, &sk); + rustsecp256k1zkp_v0_6_0_scalar_add(&e, &e, &k); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig64[32], &e); - rustsecp256k1zkp_v0_5_0_memczero(sig64, 64, !ret); - rustsecp256k1zkp_v0_5_0_scalar_clear(&k); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sk); + rustsecp256k1zkp_v0_6_0_memczero(sig64, 64, !ret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&k); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sk); memset(seckey, 0, sizeof(seckey)); return ret; } -int rustsecp256k1zkp_v0_5_0_schnorrsig_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const unsigned char *sig64, const unsigned char *msg32, const rustsecp256k1zkp_v0_5_0_xonly_pubkey *pubkey) { - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_scalar e; - rustsecp256k1zkp_v0_5_0_gej rj; - rustsecp256k1zkp_v0_5_0_ge pk; - rustsecp256k1zkp_v0_5_0_gej pkj; - rustsecp256k1zkp_v0_5_0_fe rx; - rustsecp256k1zkp_v0_5_0_ge r; +int rustsecp256k1zkp_v0_6_0_schnorrsig_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *sig64, const unsigned char *msg32, const rustsecp256k1zkp_v0_6_0_xonly_pubkey *pubkey) { + rustsecp256k1zkp_v0_6_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar e; + rustsecp256k1zkp_v0_6_0_gej rj; + rustsecp256k1zkp_v0_6_0_ge pk; + rustsecp256k1zkp_v0_6_0_gej pkj; + rustsecp256k1zkp_v0_6_0_fe rx; + rustsecp256k1zkp_v0_6_0_ge r; unsigned char buf[32]; int overflow; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(sig64 != NULL); ARG_CHECK(msg32 != NULL); ARG_CHECK(pubkey != NULL); - if (!rustsecp256k1zkp_v0_5_0_fe_set_b32(&rx, &sig64[0])) { + if (!rustsecp256k1zkp_v0_6_0_fe_set_b32(&rx, &sig64[0])) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, &sig64[32], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, &sig64[32], &overflow); if (overflow) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_xonly_pubkey_load(ctx, &pk, pubkey)) { + if (!rustsecp256k1zkp_v0_6_0_xonly_pubkey_load(ctx, &pk, pubkey)) { return 0; } /* Compute e. */ - rustsecp256k1zkp_v0_5_0_fe_get_b32(buf, &pk.x); - rustsecp256k1zkp_v0_5_0_schnorrsig_challenge(&e, &sig64[0], msg32, buf); + rustsecp256k1zkp_v0_6_0_fe_get_b32(buf, &pk.x); + rustsecp256k1zkp_v0_6_0_schnorrsig_challenge(&e, &sig64[0], msg32, buf); /* Compute rj = s*G + (-e)*pkj */ - rustsecp256k1zkp_v0_5_0_scalar_negate(&e, &e); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pkj, &pk); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s); + rustsecp256k1zkp_v0_6_0_scalar_negate(&e, &e); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pkj, &pk); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s); - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&r, &rj); - if (rustsecp256k1zkp_v0_5_0_ge_is_infinity(&r)) { + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&r, &rj); + if (rustsecp256k1zkp_v0_6_0_ge_is_infinity(&r)) { return 0; } - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&r.y); - return !rustsecp256k1zkp_v0_5_0_fe_is_odd(&r.y) && - rustsecp256k1zkp_v0_5_0_fe_equal_var(&rx, &r.x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&r.y); + return !rustsecp256k1zkp_v0_6_0_fe_is_odd(&r.y) && + rustsecp256k1zkp_v0_6_0_fe_equal_var(&rx, &r.x); } #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_exhaustive_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_exhaustive_impl.h index 60aeb4f0..6c4e9c28 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_exhaustive_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_exhaustive_impl.h @@ -7,7 +7,7 @@ #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_EXHAUSTIVE_H #define SECP256K1_MODULE_SCHNORRSIG_TESTS_EXHAUSTIVE_H -#include "include/secp256k1_schnorrsig.h" +#include "../../../include/secp256k1_schnorrsig.h" #include "src/modules/schnorrsig/main_impl.h" static const unsigned char invalid_pubkey_bytes[][32] = { @@ -58,21 +58,21 @@ static const unsigned char invalid_pubkey_bytes[][32] = { #define NUM_INVALID_KEYS (sizeof(invalid_pubkey_bytes) / sizeof(invalid_pubkey_bytes[0])) -static int rustsecp256k1zkp_v0_5_0_hardened_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, +static int rustsecp256k1zkp_v0_6_0_hardened_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void* data) { - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar s; int *idata = data; (void)msg32; (void)key32; (void)xonly_pk32; (void)algo16; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s, *idata); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(nonce32, &s); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s, *idata); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(nonce32, &s); return 1; } -static void test_exhaustive_schnorrsig_verify(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_xonly_pubkey* pubkeys, unsigned char (*xonly_pubkey_bytes)[32], const int* parities) { +static void test_exhaustive_schnorrsig_verify(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_xonly_pubkey* pubkeys, unsigned char (*xonly_pubkey_bytes)[32], const int* parities) { int d; uint64_t iter = 0; /* Iterate over the possible public keys to verify against (through their corresponding DL d). */ @@ -98,10 +98,10 @@ static void test_exhaustive_schnorrsig_verify(const rustsecp256k1zkp_v0_5_0_cont } /* Randomly generate messages until all challenges have been hit. */ while (e_count_done < EXHAUSTIVE_TEST_ORDER) { - rustsecp256k1zkp_v0_5_0_scalar e; + rustsecp256k1zkp_v0_6_0_scalar e; unsigned char msg32[32]; - rustsecp256k1zkp_v0_5_0_testrand256(msg32); - rustsecp256k1zkp_v0_5_0_schnorrsig_challenge(&e, sig64, msg32, pk32); + rustsecp256k1zkp_v0_6_0_testrand256(msg32); + rustsecp256k1zkp_v0_6_0_schnorrsig_challenge(&e, sig64, msg32, pk32); /* Only do work if we hit a challenge we haven't tried before. */ if (!e_done[e]) { /* Iterate over the possible valid last 32 bytes in the signature. @@ -110,16 +110,16 @@ static void test_exhaustive_schnorrsig_verify(const rustsecp256k1zkp_v0_5_0_cont for (s = 0; s <= EXHAUSTIVE_TEST_ORDER + 1; ++s) { int expect_valid, valid; if (s <= EXHAUSTIVE_TEST_ORDER) { - rustsecp256k1zkp_v0_5_0_scalar s_s; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s_s, s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(sig64 + 32, &s_s); + rustsecp256k1zkp_v0_6_0_scalar s_s; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s_s, s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(sig64 + 32, &s_s); expect_valid = actual_k != -1 && s != EXHAUSTIVE_TEST_ORDER && (s_s == (actual_k + actual_d * e) % EXHAUSTIVE_TEST_ORDER); } else { - rustsecp256k1zkp_v0_5_0_testrand256(sig64 + 32); + rustsecp256k1zkp_v0_6_0_testrand256(sig64 + 32); expect_valid = 0; } - valid = rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig64, msg32, &pubkeys[d - 1]); + valid = rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig64, msg32, &pubkeys[d - 1]); CHECK(valid == expect_valid); count_valid += valid; } @@ -134,7 +134,7 @@ static void test_exhaustive_schnorrsig_verify(const rustsecp256k1zkp_v0_5_0_cont } } -static void test_exhaustive_schnorrsig_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char (*xonly_pubkey_bytes)[32], const rustsecp256k1zkp_v0_5_0_keypair* keypairs, const int* parities) { +static void test_exhaustive_schnorrsig_sign(const rustsecp256k1zkp_v0_6_0_context *ctx, unsigned char (*xonly_pubkey_bytes)[32], const rustsecp256k1zkp_v0_6_0_keypair* keypairs, const int* parities) { int d, k; uint64_t iter = 0; /* Loop over keys. */ @@ -152,20 +152,20 @@ static void test_exhaustive_schnorrsig_sign(const rustsecp256k1zkp_v0_5_0_contex if (parities[k - 1]) actual_k = EXHAUSTIVE_TEST_ORDER - k; /* Generate random messages until all challenges have been tried. */ while (e_count_done < EXHAUSTIVE_TEST_ORDER) { - rustsecp256k1zkp_v0_5_0_scalar e; - rustsecp256k1zkp_v0_5_0_testrand256(msg32); - rustsecp256k1zkp_v0_5_0_schnorrsig_challenge(&e, xonly_pubkey_bytes[k - 1], msg32, xonly_pubkey_bytes[d - 1]); + rustsecp256k1zkp_v0_6_0_scalar e; + rustsecp256k1zkp_v0_6_0_testrand256(msg32); + rustsecp256k1zkp_v0_6_0_schnorrsig_challenge(&e, xonly_pubkey_bytes[k - 1], msg32, xonly_pubkey_bytes[d - 1]); /* Only do work if we hit a challenge we haven't tried before. */ if (!e_done[e]) { - rustsecp256k1zkp_v0_5_0_scalar expected_s = (actual_k + e * actual_d) % EXHAUSTIVE_TEST_ORDER; + rustsecp256k1zkp_v0_6_0_scalar expected_s = (actual_k + e * actual_d) % EXHAUSTIVE_TEST_ORDER; unsigned char expected_s_bytes[32]; - rustsecp256k1zkp_v0_5_0_scalar_get_b32(expected_s_bytes, &expected_s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(expected_s_bytes, &expected_s); /* Invoke the real function to construct a signature. */ - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig64, msg32, &keypairs[d - 1], rustsecp256k1zkp_v0_5_0_hardened_nonce_function_smallint, &k)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig64, msg32, &keypairs[d - 1], rustsecp256k1zkp_v0_6_0_hardened_nonce_function_smallint, &k)); /* The first 32 bytes must match the xonly pubkey for the specified k. */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sig64, xonly_pubkey_bytes[k - 1], 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sig64, xonly_pubkey_bytes[k - 1], 32) == 0); /* The last 32 bytes must match the expected s value. */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sig64 + 32, expected_s_bytes, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sig64 + 32, expected_s_bytes, 32) == 0); /* Don't retry other messages that result in the same challenge. */ e_done[e] = 1; ++e_count_done; @@ -175,28 +175,28 @@ static void test_exhaustive_schnorrsig_sign(const rustsecp256k1zkp_v0_5_0_contex } } -static void test_exhaustive_schnorrsig(const rustsecp256k1zkp_v0_5_0_context *ctx) { - rustsecp256k1zkp_v0_5_0_keypair keypair[EXHAUSTIVE_TEST_ORDER - 1]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey xonly_pubkey[EXHAUSTIVE_TEST_ORDER - 1]; +static void test_exhaustive_schnorrsig(const rustsecp256k1zkp_v0_6_0_context *ctx) { + rustsecp256k1zkp_v0_6_0_keypair keypair[EXHAUSTIVE_TEST_ORDER - 1]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey xonly_pubkey[EXHAUSTIVE_TEST_ORDER - 1]; int parity[EXHAUSTIVE_TEST_ORDER - 1]; unsigned char xonly_pubkey_bytes[EXHAUSTIVE_TEST_ORDER - 1][32]; unsigned i; /* Verify that all invalid_pubkey_bytes are actually invalid. */ for (i = 0; i < NUM_INVALID_KEYS; ++i) { - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk; - CHECK(!rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &pk, invalid_pubkey_bytes[i])); + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk; + CHECK(!rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &pk, invalid_pubkey_bytes[i])); } /* Construct keypairs and xonly-pubkeys for the entire group. */ for (i = 1; i < EXHAUSTIVE_TEST_ORDER; ++i) { - rustsecp256k1zkp_v0_5_0_scalar scalar_i; + rustsecp256k1zkp_v0_6_0_scalar scalar_i; unsigned char buf[32]; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&scalar_i, i); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf, &scalar_i); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair[i - 1], buf)); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &xonly_pubkey[i - 1], &parity[i - 1], &keypair[i - 1])); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, xonly_pubkey_bytes[i - 1], &xonly_pubkey[i - 1])); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&scalar_i, i); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf, &scalar_i); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair[i - 1], buf)); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &xonly_pubkey[i - 1], &parity[i - 1], &keypair[i - 1])); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, xonly_pubkey_bytes[i - 1], &xonly_pubkey[i - 1])); } test_exhaustive_schnorrsig_sign(ctx, xonly_pubkey_bytes, keypair, parity); diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_impl.h index 55ccf022..0b3ab1c9 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/schnorrsig/tests_impl.h @@ -7,7 +7,7 @@ #ifndef SECP256K1_MODULE_SCHNORRSIG_TESTS_H #define SECP256K1_MODULE_SCHNORRSIG_TESTS_H -#include "secp256k1_schnorrsig.h" +#include "../../../include/secp256k1_schnorrsig.h" /* Checks that a bit flip in the n_flip-th argument (that has n_bytes many * bytes) changes the hash function @@ -15,28 +15,28 @@ void nonce_function_bip340_bitflip(unsigned char **args, size_t n_flip, size_t n_bytes) { unsigned char nonces[2][32]; CHECK(nonce_function_bip340(nonces[0], args[0], args[1], args[2], args[3], args[4]) == 1); - rustsecp256k1zkp_v0_5_0_testrand_flip(args[n_flip], n_bytes); + rustsecp256k1zkp_v0_6_0_testrand_flip(args[n_flip], n_bytes); CHECK(nonce_function_bip340(nonces[1], args[0], args[1], args[2], args[3], args[4]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonces[0], nonces[1], 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonces[0], nonces[1], 32) != 0); } /* Tests for the equality of two sha256 structs. This function only produces a * correct result if an integer multiple of 64 many bytes have been written * into the hash functions. */ -void test_sha256_eq(const rustsecp256k1zkp_v0_5_0_sha256 *sha1, const rustsecp256k1zkp_v0_5_0_sha256 *sha2) { +void test_sha256_eq(const rustsecp256k1zkp_v0_6_0_sha256 *sha1, const rustsecp256k1zkp_v0_6_0_sha256 *sha2) { /* Is buffer fully consumed? */ CHECK((sha1->bytes & 0x3F) == 0); CHECK(sha1->bytes == sha2->bytes); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0); } void run_nonce_function_bip340_tests(void) { unsigned char tag[13] = "BIP0340/nonce"; unsigned char aux_tag[11] = "BIP0340/aux"; unsigned char algo16[16] = "BIP0340/nonce\0\0\0"; - rustsecp256k1zkp_v0_5_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_sha256 sha_optimized; + rustsecp256k1zkp_v0_6_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha_optimized; unsigned char nonce[32]; unsigned char msg[32]; unsigned char key[32]; @@ -46,23 +46,23 @@ void run_nonce_function_bip340_tests(void) { int i; /* Check that hash initialized by - * rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged has the expected + * rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged has the expected * state. */ - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, tag, sizeof(tag)); - rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, tag, sizeof(tag)); + rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged(&sha_optimized); test_sha256_eq(&sha, &sha_optimized); /* Check that hash initialized by - * rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged_aux has the expected + * rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged_aux has the expected * state. */ - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag)); - rustsecp256k1zkp_v0_5_0_nonce_function_bip340_sha256_tagged_aux(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, aux_tag, sizeof(aux_tag)); + rustsecp256k1zkp_v0_6_0_nonce_function_bip340_sha256_tagged_aux(&sha_optimized); test_sha256_eq(&sha, &sha_optimized); - rustsecp256k1zkp_v0_5_0_testrand256(msg); - rustsecp256k1zkp_v0_5_0_testrand256(key); - rustsecp256k1zkp_v0_5_0_testrand256(pk); - rustsecp256k1zkp_v0_5_0_testrand256(aux_rand); + rustsecp256k1zkp_v0_6_0_testrand256(msg); + rustsecp256k1zkp_v0_6_0_testrand256(key); + rustsecp256k1zkp_v0_6_0_testrand256(pk); + rustsecp256k1zkp_v0_6_0_testrand256(aux_rand); /* Check that a bitflip in an argument results in different nonces. */ args[0] = msg; @@ -102,89 +102,89 @@ void test_schnorrsig_api(void) { unsigned char sk2[32]; unsigned char sk3[32]; unsigned char msg[32]; - rustsecp256k1zkp_v0_5_0_keypair keypairs[3]; - rustsecp256k1zkp_v0_5_0_keypair invalid_keypair = { 0 }; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk[3]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey zero_pk; + rustsecp256k1zkp_v0_6_0_keypair keypairs[3]; + rustsecp256k1zkp_v0_6_0_keypair invalid_keypair = {{ 0 }}; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk[3]; + rustsecp256k1zkp_v0_6_0_xonly_pubkey zero_pk; unsigned char sig[64]; /** setup **/ - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_context *both = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *both = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); int ecount; - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); - - rustsecp256k1zkp_v0_5_0_testrand256(sk1); - rustsecp256k1zkp_v0_5_0_testrand256(sk2); - rustsecp256k1zkp_v0_5_0_testrand256(sk3); - rustsecp256k1zkp_v0_5_0_testrand256(msg); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypairs[0], sk1) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypairs[1], sk2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypairs[2], sk3) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); + + rustsecp256k1zkp_v0_6_0_testrand256(sk1); + rustsecp256k1zkp_v0_6_0_testrand256(sk2); + rustsecp256k1zkp_v0_6_0_testrand256(sk3); + rustsecp256k1zkp_v0_6_0_testrand256(msg); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypairs[0], sk1) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypairs[1], sk2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypairs[2], sk3) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1); memset(&zero_pk, 0, sizeof(zero_pk)); /** main test body **/ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(sign, sig, msg, NULL, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(sign, sig, msg, NULL, NULL, NULL) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL, NULL) == 0); CHECK(ecount == 6); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(none, sig, msg, &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(none, sig, msg, &pk[0]) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(sign, sig, msg, &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(sign, sig, msg, &pk[0]) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(vrfy, sig, msg, &pk[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(vrfy, sig, msg, &pk[0]) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(vrfy, NULL, msg, &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(vrfy, NULL, msg, &pk[0]) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(vrfy, sig, NULL, &pk[0]) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(vrfy, sig, NULL, &pk[0]) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(vrfy, sig, msg, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(vrfy, sig, msg, NULL) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(vrfy, sig, msg, &zero_pk) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(vrfy, sig, msg, &zero_pk) == 0); CHECK(ecount == 6); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_destroy(both); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(both); } -/* Checks that hash initialized by rustsecp256k1zkp_v0_5_0_schnorrsig_sha256_tagged has the +/* Checks that hash initialized by rustsecp256k1zkp_v0_6_0_schnorrsig_sha256_tagged has the * expected state. */ void test_schnorrsig_sha256_tagged(void) { char tag[17] = "BIP0340/challenge"; - rustsecp256k1zkp_v0_5_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_sha256 sha_optimized; + rustsecp256k1zkp_v0_6_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha_optimized; - rustsecp256k1zkp_v0_5_0_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag)); - rustsecp256k1zkp_v0_5_0_schnorrsig_sha256_tagged(&sha_optimized); + rustsecp256k1zkp_v0_6_0_sha256_initialize_tagged(&sha, (unsigned char *) tag, sizeof(tag)); + rustsecp256k1zkp_v0_6_0_schnorrsig_sha256_tagged(&sha_optimized); test_sha256_eq(&sha, &sha_optimized); } @@ -192,26 +192,26 @@ void test_schnorrsig_sha256_tagged(void) { * Signs the message and checks that it's the same as expected_sig. */ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const unsigned char *pk_serialized, unsigned char *aux_rand, const unsigned char *msg, const unsigned char *expected_sig) { unsigned char sig[64]; - rustsecp256k1zkp_v0_5_0_keypair keypair; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk, pk_expected; + rustsecp256k1zkp_v0_6_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk, pk_expected; - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, aux_rand)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sig, expected_sig, 64) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, aux_rand)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sig, expected_sig, 64) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized)); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig, msg, &pk)); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized)); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig, msg, &pk)); } /* Helper function for schnorrsig_bip_vectors * Checks that both verify and verify_batch (TODO) return the same value as expected. */ void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) { - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk; - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &pk, pk_serialized)); - CHECK(expected == rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig, msg32, &pk)); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &pk, pk_serialized)); + CHECK(expected == rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig, msg32, &pk)); } /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See @@ -407,9 +407,9 @@ void test_schnorrsig_bip_vectors(void) { 0xEB, 0x98, 0x98, 0xAE, 0x79, 0xB9, 0x76, 0x87, 0x66, 0xE4, 0xFA, 0xA0, 0x4A, 0x2D, 0x4A, 0x34 }; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk_parsed; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk_parsed; /* No need to check the signature of the test vector as parsing the pubkey already fails */ - CHECK(!rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &pk_parsed, pk)); + CHECK(!rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &pk_parsed, pk)); } { /* Test vector 6 */ @@ -627,9 +627,9 @@ void test_schnorrsig_bip_vectors(void) { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30 }; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk_parsed; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk_parsed; /* No need to check the signature of the test vector as parsing the pubkey already fails */ - CHECK(!rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &pk_parsed, pk)); + CHECK(!rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &pk_parsed, pk)); } } @@ -670,24 +670,24 @@ static int nonce_function_overflowing(unsigned char *nonce32, const unsigned cha void test_schnorrsig_sign(void) { unsigned char sk[32]; - rustsecp256k1zkp_v0_5_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_keypair keypair; const unsigned char msg[32] = "this is a msg for a schnorrsig.."; unsigned char sig[64]; unsigned char zeros64[64] = { 0 }; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1); /* Test different nonce functions */ memset(sig, 1, sizeof(sig)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_failing, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sig, zeros64, sizeof(sig)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_failing, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sig, zeros64, sizeof(sig)) == 0); memset(&sig, 1, sizeof(sig)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_0, NULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sig, zeros64, sizeof(sig)) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_overflowing, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(sig, zeros64, sizeof(sig)) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_0, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sig, zeros64, sizeof(sig)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig, msg, &keypair, nonce_function_overflowing, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(sig, zeros64, sizeof(sig)) != 0); } #define N_SIGS 3 @@ -699,66 +699,66 @@ void test_schnorrsig_sign_verify(void) { unsigned char msg[N_SIGS][32]; unsigned char sig[N_SIGS][64]; size_t i; - rustsecp256k1zkp_v0_5_0_keypair keypair; - rustsecp256k1zkp_v0_5_0_xonly_pubkey pk; - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_xonly_pubkey pk; + rustsecp256k1zkp_v0_6_0_scalar s; - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk)); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk)); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); for (i = 0; i < N_SIGS; i++) { - rustsecp256k1zkp_v0_5_0_testrand256(msg[i]); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[i], msg[i], &pk)); + rustsecp256k1zkp_v0_6_0_testrand256(msg[i]); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[i], msg[i], &pk)); } { /* Flip a few bits in the signature and in the message and check that * verify and verify_batch (TODO) fail */ - size_t sig_idx = rustsecp256k1zkp_v0_5_0_testrand_int(N_SIGS); - size_t byte_idx = rustsecp256k1zkp_v0_5_0_testrand_int(32); - unsigned char xorbyte = rustsecp256k1zkp_v0_5_0_testrand_int(254)+1; + size_t sig_idx = rustsecp256k1zkp_v0_6_0_testrand_int(N_SIGS); + size_t byte_idx = rustsecp256k1zkp_v0_6_0_testrand_int(32); + unsigned char xorbyte = rustsecp256k1zkp_v0_6_0_testrand_int(254)+1; sig[sig_idx][byte_idx] ^= xorbyte; - CHECK(!rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(!rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); sig[sig_idx][byte_idx] ^= xorbyte; - byte_idx = rustsecp256k1zkp_v0_5_0_testrand_int(32); + byte_idx = rustsecp256k1zkp_v0_6_0_testrand_int(32); sig[sig_idx][32+byte_idx] ^= xorbyte; - CHECK(!rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(!rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); sig[sig_idx][32+byte_idx] ^= xorbyte; - byte_idx = rustsecp256k1zkp_v0_5_0_testrand_int(32); + byte_idx = rustsecp256k1zkp_v0_6_0_testrand_int(32); msg[sig_idx][byte_idx] ^= xorbyte; - CHECK(!rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(!rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); msg[sig_idx][byte_idx] ^= xorbyte; /* Check that above bitflips have been reversed correctly */ - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], &pk)); } /* Test overflowing s */ - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); memset(&sig[0][32], 0xFF, 32); - CHECK(!rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); + CHECK(!rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); /* Test negative s */ - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, &sig[0][32], NULL); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, &s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig[0][32], &s); - CHECK(!rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, &sig[0][32], NULL); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, &s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig[0][32], &s); + CHECK(!rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig[0], msg[0], &pk)); } #undef N_SIGS void test_schnorrsig_taproot(void) { unsigned char sk[32]; - rustsecp256k1zkp_v0_5_0_keypair keypair; - rustsecp256k1zkp_v0_5_0_xonly_pubkey internal_pk; + rustsecp256k1zkp_v0_6_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_xonly_pubkey internal_pk; unsigned char internal_pk_bytes[32]; - rustsecp256k1zkp_v0_5_0_xonly_pubkey output_pk; + rustsecp256k1zkp_v0_6_0_xonly_pubkey output_pk; unsigned char output_pk_bytes[32]; unsigned char tweak[32]; int pk_parity; @@ -766,27 +766,27 @@ void test_schnorrsig_taproot(void) { unsigned char sig[64]; /* Create output key */ - rustsecp256k1zkp_v0_5_0_testrand256(sk); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, sk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(sk); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, sk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1); /* In actual taproot the tweak would be hash of internal_pk */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1); /* Key spend */ - rustsecp256k1zkp_v0_5_0_testrand256(msg); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1); + rustsecp256k1zkp_v0_6_0_testrand256(msg); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL) == 1); /* Verify key spend */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_schnorrsig_verify(ctx, sig, msg, &output_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_schnorrsig_verify(ctx, sig, msg, &output_pk) == 1); /* Script spend */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1); /* Verify script spend */ - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1); } void run_schnorrsig_tests(void) { diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/Makefile.am.include index e386fc83..65738ac2 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_surjectionproof.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_surjectionproof.h noinst_HEADERS += src/modules/surjection/main_impl.h noinst_HEADERS += src/modules/surjection/surjection.h noinst_HEADERS += src/modules/surjection/surjection_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/main_impl.h index b32fd246..59aaac24 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/main_impl.h @@ -23,7 +23,7 @@ #define SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS 16 #endif -static size_t rustsecp256k1zkp_v0_5_0_count_bits_set(const unsigned char* data, size_t count) { +static size_t rustsecp256k1zkp_v0_6_0_count_bits_set(const unsigned char* data, size_t count) { size_t ret = 0; size_t i; for (i = 0; i < count; i++) { @@ -46,7 +46,7 @@ static size_t rustsecp256k1zkp_v0_5_0_count_bits_set(const unsigned char* data, #ifdef USE_REDUCED_SURJECTION_PROOF_SIZE static #endif -int rustsecp256k1zkp_v0_5_0_surjectionproof_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_surjectionproof *proof, const unsigned char *input, size_t inputlen) { +int rustsecp256k1zkp_v0_6_0_surjectionproof_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_surjectionproof *proof, const unsigned char *input, size_t inputlen) { size_t n_inputs; size_t signature_len; @@ -75,7 +75,7 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_parse(const rustsecp256k1zkp_v0_5_0_ } } - signature_len = 32 * (1 + rustsecp256k1zkp_v0_5_0_count_bits_set(&input[2], (n_inputs + 7) / 8)); + signature_len = 32 * (1 + rustsecp256k1zkp_v0_6_0_count_bits_set(&input[2], (n_inputs + 7) / 8)); if (inputlen != 2 + (n_inputs + 7) / 8 + signature_len) { return 0; } @@ -86,7 +86,7 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_parse(const rustsecp256k1zkp_v0_5_0_ return 1; } -int rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_5_0_surjectionproof *proof) { +int rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_6_0_surjectionproof *proof) { size_t signature_len; size_t serialized_len; @@ -96,7 +96,7 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(const rustsecp256k1zkp_v0_ ARG_CHECK(proof != NULL); (void) ctx; - signature_len = 32 * (1 + rustsecp256k1zkp_v0_5_0_count_bits_set(proof->used_inputs, (proof->n_inputs + 7) / 8)); + signature_len = 32 * (1 + rustsecp256k1zkp_v0_6_0_count_bits_set(proof->used_inputs, (proof->n_inputs + 7) / 8)); serialized_len = 2 + (proof->n_inputs + 7) / 8 + signature_len; if (*outputlen < serialized_len) { return 0; @@ -111,37 +111,37 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(const rustsecp256k1zkp_v0_ return 1; } -size_t rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_surjectionproof* proof) { +size_t rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_surjectionproof* proof) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(proof != NULL); (void) ctx; return proof->n_inputs; } -size_t rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_surjectionproof* proof) { +size_t rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_surjectionproof* proof) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(proof != NULL); (void) ctx; - return rustsecp256k1zkp_v0_5_0_count_bits_set(proof->used_inputs, (proof->n_inputs + 7) / 8); + return rustsecp256k1zkp_v0_6_0_count_bits_set(proof->used_inputs, (proof->n_inputs + 7) / 8); } -size_t rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_surjectionproof* proof) { +size_t rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_surjectionproof* proof) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(proof != NULL); - return 2 + (proof->n_inputs + 7) / 8 + 32 * (1 + rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, proof)); + return 2 + (proof->n_inputs + 7) / 8 + 32 * (1 + rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, proof)); } typedef struct { unsigned char state[32]; size_t state_i; -} rustsecp256k1zkp_v0_5_0_surjectionproof_csprng; +} rustsecp256k1zkp_v0_6_0_surjectionproof_csprng; -static void rustsecp256k1zkp_v0_5_0_surjectionproof_csprng_init(rustsecp256k1zkp_v0_5_0_surjectionproof_csprng *csprng, const unsigned char* state) { +static void rustsecp256k1zkp_v0_6_0_surjectionproof_csprng_init(rustsecp256k1zkp_v0_6_0_surjectionproof_csprng *csprng, const unsigned char* state) { memcpy(csprng->state, state, 32); csprng->state_i = 0; } -static size_t rustsecp256k1zkp_v0_5_0_surjectionproof_csprng_next(rustsecp256k1zkp_v0_5_0_surjectionproof_csprng *csprng, size_t rand_max) { +static size_t rustsecp256k1zkp_v0_6_0_surjectionproof_csprng_next(rustsecp256k1zkp_v0_6_0_surjectionproof_csprng *csprng, size_t rand_max) { /* The number of random bytes to read for each random sample */ const size_t increment = rand_max > 256 ? 2 : 1; /* The maximum value expressable by the number of random bytes we read */ @@ -152,10 +152,10 @@ static size_t rustsecp256k1zkp_v0_5_0_surjectionproof_csprng_next(rustsecp256k1z while (1) { size_t val; if (csprng->state_i + increment >= 32) { - rustsecp256k1zkp_v0_5_0_sha256 sha; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, csprng->state, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, csprng->state); + rustsecp256k1zkp_v0_6_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, csprng->state, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, csprng->state); csprng->state_i = 0; } val = csprng->state[csprng->state_i]; @@ -171,8 +171,8 @@ static size_t rustsecp256k1zkp_v0_5_0_surjectionproof_csprng_next(rustsecp256k1z } } -int rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_surjectionproof* proof, size_t *input_index, const rustsecp256k1zkp_v0_5_0_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, const rustsecp256k1zkp_v0_5_0_fixed_asset_tag* fixed_output_tag, const size_t n_max_iterations, const unsigned char *random_seed32) { - rustsecp256k1zkp_v0_5_0_surjectionproof_csprng csprng; +int rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_surjectionproof* proof, size_t *input_index, const rustsecp256k1zkp_v0_6_0_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, const rustsecp256k1zkp_v0_6_0_fixed_asset_tag* fixed_output_tag, const size_t n_max_iterations, const unsigned char *random_seed32) { + rustsecp256k1zkp_v0_6_0_surjectionproof_csprng csprng; size_t n_iterations = 0; VERIFY_CHECK(ctx != NULL); @@ -186,7 +186,7 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(const rustsecp256k1zkp_v0 ARG_CHECK(n_input_tags_to_use <= n_input_tags); (void) ctx; - rustsecp256k1zkp_v0_5_0_surjectionproof_csprng_init(&csprng, random_seed32); + rustsecp256k1zkp_v0_6_0_surjectionproof_csprng_init(&csprng, random_seed32); memset(proof->data, 0, sizeof(proof->data)); proof->n_inputs = n_input_tags; @@ -199,7 +199,7 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(const rustsecp256k1zkp_v0 for (i = 0; i < n_input_tags_to_use; i++) { while (1) { size_t next_input_index; - next_input_index = rustsecp256k1zkp_v0_5_0_surjectionproof_csprng_next(&csprng, n_input_tags); + next_input_index = rustsecp256k1zkp_v0_6_0_surjectionproof_csprng_next(&csprng, n_input_tags); if (memcmp(&fixed_input_tags[next_input_index], fixed_output_tag, sizeof(*fixed_output_tag)) == 0) { *input_index = next_input_index; has_output_tag = 1; @@ -229,10 +229,10 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(const rustsecp256k1zkp_v0 } } -int rustsecp256k1zkp_v0_5_0_surjectionproof_generate(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_surjectionproof* proof, const rustsecp256k1zkp_v0_5_0_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, const rustsecp256k1zkp_v0_5_0_generator* ephemeral_output_tag, size_t input_index, const unsigned char *input_blinding_key, const unsigned char *output_blinding_key) { - rustsecp256k1zkp_v0_5_0_scalar blinding_key; - rustsecp256k1zkp_v0_5_0_scalar tmps; - rustsecp256k1zkp_v0_5_0_scalar nonce; +int rustsecp256k1zkp_v0_6_0_surjectionproof_generate(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_surjectionproof* proof, const rustsecp256k1zkp_v0_6_0_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, const rustsecp256k1zkp_v0_6_0_generator* ephemeral_output_tag, size_t input_index, const unsigned char *input_blinding_key, const unsigned char *output_blinding_key) { + rustsecp256k1zkp_v0_6_0_scalar blinding_key; + rustsecp256k1zkp_v0_6_0_scalar tmps; + rustsecp256k1zkp_v0_6_0_scalar nonce; int overflow = 0; size_t rsizes[1]; /* array needed for borromean sig API */ size_t indices[1]; /* array needed for borromean sig API */ @@ -240,13 +240,13 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_generate(const rustsecp256k1zkp_v0_5 size_t n_total_pubkeys; size_t n_used_pubkeys; size_t ring_input_index = 0; - rustsecp256k1zkp_v0_5_0_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; - rustsecp256k1zkp_v0_5_0_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; + rustsecp256k1zkp_v0_6_0_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; + rustsecp256k1zkp_v0_6_0_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; unsigned char msg32[32]; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(proof != NULL); ARG_CHECK(ephemeral_input_tags != NULL); ARG_CHECK(ephemeral_output_tag != NULL); @@ -257,50 +257,50 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_generate(const rustsecp256k1zkp_v0_5 #endif /* Compute secret key */ - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&tmps, input_blinding_key, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&tmps, input_blinding_key, &overflow); if (overflow) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&blinding_key, output_blinding_key, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&blinding_key, output_blinding_key, &overflow); if (overflow) { return 0; } /* The only time the input may equal the output is if neither one was blinded in the first place, * i.e. both blinding keys are zero. Otherwise this is a privacy leak. */ - if (rustsecp256k1zkp_v0_5_0_scalar_eq(&tmps, &blinding_key) && !rustsecp256k1zkp_v0_5_0_scalar_is_zero(&blinding_key)) { + if (rustsecp256k1zkp_v0_6_0_scalar_eq(&tmps, &blinding_key) && !rustsecp256k1zkp_v0_6_0_scalar_is_zero(&blinding_key)) { return 0; } - rustsecp256k1zkp_v0_5_0_scalar_negate(&tmps, &tmps); - rustsecp256k1zkp_v0_5_0_scalar_add(&blinding_key, &blinding_key, &tmps); + rustsecp256k1zkp_v0_6_0_scalar_negate(&tmps, &tmps); + rustsecp256k1zkp_v0_6_0_scalar_add(&blinding_key, &blinding_key, &tmps); /* Compute public keys */ - n_total_pubkeys = rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(ctx, proof); - n_used_pubkeys = rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, proof); + n_total_pubkeys = rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(ctx, proof); + n_used_pubkeys = rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, proof); if (n_used_pubkeys > n_total_pubkeys || n_total_pubkeys != n_ephemeral_input_tags) { return 0; } - if (rustsecp256k1zkp_v0_5_0_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, input_index, &ring_input_index) == 0) { + if (rustsecp256k1zkp_v0_6_0_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, input_index, &ring_input_index) == 0) { return 0; } /* Produce signature */ rsizes[0] = (int) n_used_pubkeys; indices[0] = (int) ring_input_index; - rustsecp256k1zkp_v0_5_0_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag); - if (rustsecp256k1zkp_v0_5_0_surjection_genrand(borromean_s, n_used_pubkeys, &blinding_key) == 0) { + rustsecp256k1zkp_v0_6_0_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag); + if (rustsecp256k1zkp_v0_6_0_surjection_genrand(borromean_s, n_used_pubkeys, &blinding_key) == 0) { return 0; } /* Borromean sign will overwrite one of the s values we just generated, so use * it as a nonce instead. This avoids extra random generation and also is an * homage to the rangeproof code which does this very cleverly to encode messages. */ nonce = borromean_s[ring_input_index]; - rustsecp256k1zkp_v0_5_0_scalar_clear(&borromean_s[ring_input_index]); - if (rustsecp256k1zkp_v0_5_0_borromean_sign(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, &proof->data[0], borromean_s, ring_pubkeys, &nonce, &blinding_key, rsizes, indices, 1, msg32, 32) == 0) { + rustsecp256k1zkp_v0_6_0_scalar_clear(&borromean_s[ring_input_index]); + if (rustsecp256k1zkp_v0_6_0_borromean_sign(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, &proof->data[0], borromean_s, ring_pubkeys, &nonce, &blinding_key, rsizes, indices, 1, msg32, 32) == 0) { return 0; } for (i = 0; i < n_used_pubkeys; i++) { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&proof->data[32 + 32 * i], &borromean_s[i]); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&proof->data[32 + 32 * i], &borromean_s[i]); } return 1; } @@ -308,24 +308,24 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_generate(const rustsecp256k1zkp_v0_5 #ifdef USE_REDUCED_SURJECTION_PROOF_SIZE static #endif -int rustsecp256k1zkp_v0_5_0_surjectionproof_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_surjectionproof* proof, const rustsecp256k1zkp_v0_5_0_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, const rustsecp256k1zkp_v0_5_0_generator* ephemeral_output_tag) { +int rustsecp256k1zkp_v0_6_0_surjectionproof_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_surjectionproof* proof, const rustsecp256k1zkp_v0_6_0_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, const rustsecp256k1zkp_v0_6_0_generator* ephemeral_output_tag) { size_t rsizes[1]; /* array needed for borromean sig API */ size_t i; size_t n_total_pubkeys; size_t n_used_pubkeys; - rustsecp256k1zkp_v0_5_0_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; - rustsecp256k1zkp_v0_5_0_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; + rustsecp256k1zkp_v0_6_0_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; + rustsecp256k1zkp_v0_6_0_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS]; unsigned char msg32[32]; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(proof != NULL); ARG_CHECK(ephemeral_input_tags != NULL); ARG_CHECK(ephemeral_output_tag != NULL); /* Compute public keys */ - n_total_pubkeys = rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(ctx, proof); - n_used_pubkeys = rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, proof); + n_total_pubkeys = rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(ctx, proof); + n_used_pubkeys = rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, proof); if (n_used_pubkeys == 0 || n_used_pubkeys > n_total_pubkeys || n_total_pubkeys != n_ephemeral_input_tags) { return 0; } @@ -335,7 +335,7 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_verify(const rustsecp256k1zkp_v0_5_0 return 0; } - if (rustsecp256k1zkp_v0_5_0_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, 0, NULL) == 0) { + if (rustsecp256k1zkp_v0_6_0_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, 0, NULL) == 0) { return 0; } @@ -343,13 +343,13 @@ int rustsecp256k1zkp_v0_5_0_surjectionproof_verify(const rustsecp256k1zkp_v0_5_0 rsizes[0] = (int) n_used_pubkeys; for (i = 0; i < n_used_pubkeys; i++) { int overflow = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&borromean_s[i], &proof->data[32 + 32 * i], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&borromean_s[i], &proof->data[32 + 32 * i], &overflow); if (overflow == 1) { return 0; } } - rustsecp256k1zkp_v0_5_0_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag); - return rustsecp256k1zkp_v0_5_0_borromean_verify(&ctx->ecmult_ctx, NULL, &proof->data[0], borromean_s, ring_pubkeys, rsizes, 1, msg32, 32); + rustsecp256k1zkp_v0_6_0_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag); + return rustsecp256k1zkp_v0_6_0_borromean_verify(&ctx->ecmult_ctx, NULL, &proof->data[0], borromean_s, ring_pubkeys, rsizes, 1, msg32, 32); } #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection.h index 0e7e2c5d..4c1aabe4 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection.h @@ -10,10 +10,10 @@ #include "group.h" #include "scalar.h" -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_surjection_genmessage(unsigned char *msg32, rustsecp256k1zkp_v0_5_0_ge *ephemeral_input_tags, size_t n_input_tags, rustsecp256k1zkp_v0_5_0_ge *ephemeral_output_tag); +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_surjection_genmessage(unsigned char *msg32, rustsecp256k1zkp_v0_6_0_ge *ephemeral_input_tags, size_t n_input_tags, rustsecp256k1zkp_v0_6_0_ge *ephemeral_output_tag); -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_surjection_genrand(rustsecp256k1zkp_v0_5_0_scalar *s, size_t ns, const rustsecp256k1zkp_v0_5_0_scalar *blinding_key); +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_surjection_genrand(rustsecp256k1zkp_v0_6_0_scalar *s, size_t ns, const rustsecp256k1zkp_v0_6_0_scalar *blinding_key); -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_surjection_compute_public_keys(rustsecp256k1zkp_v0_5_0_gej *pubkeys, size_t n_pubkeys, const rustsecp256k1zkp_v0_5_0_ge *input_tags, size_t n_input_tags, const unsigned char *used_tags, const rustsecp256k1zkp_v0_5_0_ge *output_tag, size_t input_index, size_t *ring_input_index); +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_surjection_compute_public_keys(rustsecp256k1zkp_v0_6_0_gej *pubkeys, size_t n_pubkeys, const rustsecp256k1zkp_v0_6_0_ge *input_tags, size_t n_input_tags, const unsigned char *used_tags, const rustsecp256k1zkp_v0_6_0_ge *output_tag, size_t input_index, size_t *ring_input_index); #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection_impl.h index 375cc223..722baeb5 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/surjection_impl.h @@ -14,32 +14,32 @@ #include "scalar.h" #include "hash.h" -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_surjection_genmessage(unsigned char *msg32, const rustsecp256k1zkp_v0_5_0_generator *ephemeral_input_tags, size_t n_input_tags, const rustsecp256k1zkp_v0_5_0_generator *ephemeral_output_tag) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_surjection_genmessage(unsigned char *msg32, const rustsecp256k1zkp_v0_6_0_generator *ephemeral_input_tags, size_t n_input_tags, const rustsecp256k1zkp_v0_6_0_generator *ephemeral_output_tag) { /* compute message */ size_t i; unsigned char pk_ser[33]; size_t pk_len = sizeof(pk_ser); - rustsecp256k1zkp_v0_5_0_sha256 sha256_en; + rustsecp256k1zkp_v0_6_0_sha256 sha256_en; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_en); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_en); for (i = 0; i < n_input_tags; i++) { pk_ser[0] = 2 + (ephemeral_input_tags[i].data[63] & 1); memcpy(&pk_ser[1], &ephemeral_input_tags[i].data[0], 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_en, pk_ser, pk_len); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_en, pk_ser, pk_len); } pk_ser[0] = 2 + (ephemeral_output_tag->data[63] & 1); memcpy(&pk_ser[1], &ephemeral_output_tag->data[0], 32); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_en, pk_ser, pk_len); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_en, msg32); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_en, pk_ser, pk_len); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_en, msg32); } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_surjection_genrand(rustsecp256k1zkp_v0_5_0_scalar *s, size_t ns, const rustsecp256k1zkp_v0_5_0_scalar *blinding_key) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_surjection_genrand(rustsecp256k1zkp_v0_6_0_scalar *s, size_t ns, const rustsecp256k1zkp_v0_6_0_scalar *blinding_key) { size_t i; unsigned char sec_input[36]; - rustsecp256k1zkp_v0_5_0_sha256 sha256_en; + rustsecp256k1zkp_v0_6_0_sha256 sha256_en; /* compute s values */ - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sec_input[4], blinding_key); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sec_input[4], blinding_key); for (i = 0; i < ns; i++) { int overflow = 0; sec_input[0] = i; @@ -47,10 +47,10 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_surjection_genrand(rustsecp2 sec_input[2] = i >> 16; sec_input[3] = i >> 24; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_en); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_en, sec_input, 36); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_en, sec_input); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s[i], sec_input, &overflow); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_en); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_en, sec_input, 36); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_en, sec_input); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s[i], sec_input, &overflow); if (overflow == 1) { memset(sec_input, 0, 32); return 0; @@ -60,21 +60,21 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_surjection_genrand(rustsecp2 return 1; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_surjection_compute_public_keys(rustsecp256k1zkp_v0_5_0_gej *pubkeys, size_t n_pubkeys, const rustsecp256k1zkp_v0_5_0_generator *input_tags, size_t n_input_tags, const unsigned char *used_tags, const rustsecp256k1zkp_v0_5_0_generator *output_tag, size_t input_index, size_t *ring_input_index) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_surjection_compute_public_keys(rustsecp256k1zkp_v0_6_0_gej *pubkeys, size_t n_pubkeys, const rustsecp256k1zkp_v0_6_0_generator *input_tags, size_t n_input_tags, const unsigned char *used_tags, const rustsecp256k1zkp_v0_6_0_generator *output_tag, size_t input_index, size_t *ring_input_index) { size_t i; size_t j = 0; for (i = 0; i < n_input_tags; i++) { if (used_tags[i / 8] & (1 << (i % 8))) { - rustsecp256k1zkp_v0_5_0_ge tmpge; - rustsecp256k1zkp_v0_5_0_generator_load(&tmpge, &input_tags[i]); - rustsecp256k1zkp_v0_5_0_ge_neg(&tmpge, &tmpge); + rustsecp256k1zkp_v0_6_0_ge tmpge; + rustsecp256k1zkp_v0_6_0_generator_load(&tmpge, &input_tags[i]); + rustsecp256k1zkp_v0_6_0_ge_neg(&tmpge, &tmpge); VERIFY_CHECK(j < SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS); VERIFY_CHECK(j < n_pubkeys); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pubkeys[j], &tmpge); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pubkeys[j], &tmpge); - rustsecp256k1zkp_v0_5_0_generator_load(&tmpge, output_tag); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&pubkeys[j], &pubkeys[j], &tmpge, NULL); + rustsecp256k1zkp_v0_6_0_generator_load(&tmpge, output_tag); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&pubkeys[j], &pubkeys[j], &tmpge, NULL); if (ring_input_index != NULL && input_index == i) { *ring_input_index = j; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/tests_impl.h index f8956cfa..e5086f07 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/surjection/tests_impl.h @@ -15,77 +15,77 @@ static void test_surjectionproof_api(void) { unsigned char seed[32]; - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_context *sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1zkp_v0_5_0_context *vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_context *both = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_fixed_asset_tag fixed_input_tags[10]; - rustsecp256k1zkp_v0_5_0_fixed_asset_tag fixed_output_tag; - rustsecp256k1zkp_v0_5_0_generator ephemeral_input_tags[10]; - rustsecp256k1zkp_v0_5_0_generator ephemeral_output_tag; + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_context *sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1zkp_v0_6_0_context *vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_context *both = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_fixed_asset_tag fixed_input_tags[10]; + rustsecp256k1zkp_v0_6_0_fixed_asset_tag fixed_output_tag; + rustsecp256k1zkp_v0_6_0_generator ephemeral_input_tags[10]; + rustsecp256k1zkp_v0_6_0_generator ephemeral_output_tag; unsigned char input_blinding_key[10][32]; unsigned char output_blinding_key[32]; unsigned char serialized_proof[SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES_MAX]; size_t serialized_len; - rustsecp256k1zkp_v0_5_0_surjectionproof proof; - rustsecp256k1zkp_v0_5_0_surjectionproof* proof_on_heap; + rustsecp256k1zkp_v0_6_0_surjectionproof proof; + rustsecp256k1zkp_v0_6_0_surjectionproof* proof_on_heap; size_t n_inputs = sizeof(fixed_input_tags) / sizeof(fixed_input_tags[0]); size_t input_index; int32_t ecount = 0; size_t i; - rustsecp256k1zkp_v0_5_0_testrand256(seed); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_testrand256(seed); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); for (i = 0; i < n_inputs; i++) { - rustsecp256k1zkp_v0_5_0_testrand256(input_blinding_key[i]); - rustsecp256k1zkp_v0_5_0_testrand256(fixed_input_tags[i].data); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); + rustsecp256k1zkp_v0_6_0_testrand256(input_blinding_key[i]); + rustsecp256k1zkp_v0_6_0_testrand256(fixed_input_tags[i].data); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); } - rustsecp256k1zkp_v0_5_0_testrand256(output_blinding_key); + rustsecp256k1zkp_v0_6_0_testrand256(output_blinding_key); memcpy(&fixed_output_tag, &fixed_input_tags[0], sizeof(fixed_input_tags[0])); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, output_blinding_key)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, output_blinding_key)); /* check allocate_initialized */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); CHECK(proof_on_heap != 0); - rustsecp256k1zkp_v0_5_0_surjectionproof_destroy(proof_on_heap); + rustsecp256k1zkp_v0_6_0_surjectionproof_destroy(proof_on_heap); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); CHECK(proof_on_heap != 0); - rustsecp256k1zkp_v0_5_0_surjectionproof_destroy(proof_on_heap); + rustsecp256k1zkp_v0_6_0_surjectionproof_destroy(proof_on_heap); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 6); - CHECK((rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); + CHECK((rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_allocate_initialized(none, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); CHECK(proof_on_heap == 0); CHECK(ecount == 7); @@ -94,112 +94,112 @@ static void test_surjectionproof_api(void) { ecount = 0; /* check initialize */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); CHECK(ecount == 6); - CHECK((rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); + CHECK((rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); CHECK(ecount == 7); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(none, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); /* check generate */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(none, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(none, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 8); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(vrfy, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(vrfy, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(sign, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(sign, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); CHECK(ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 11); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, NULL, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, NULL, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, 0, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, 0, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, NULL, 0, input_blinding_key[0], output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, NULL, 0, input_blinding_key[0], output_blinding_key) == 0); CHECK(ecount == 13); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 1, input_blinding_key[0], output_blinding_key) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 1, input_blinding_key[0], output_blinding_key) != 0); CHECK(ecount == 13); /* the above line "succeeds" but generates an invalid proof as the input_index is wrong. it is fairly expensive to detect this. should we? */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, n_inputs + 1, input_blinding_key[0], output_blinding_key) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, n_inputs + 1, input_blinding_key[0], output_blinding_key) != 0); CHECK(ecount == 13); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, NULL, output_blinding_key) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, NULL, output_blinding_key) == 0); CHECK(ecount == 14); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], NULL) == 0); CHECK(ecount == 15); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_generate(both, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); /* check verify */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(none, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(none, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); CHECK(ecount == 16); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(sign, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(sign, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); CHECK(ecount == 17); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) != 0); CHECK(ecount == 17); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(vrfy, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(vrfy, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); CHECK(ecount == 18); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(vrfy, &proof, NULL, n_inputs, &ephemeral_output_tag) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(vrfy, &proof, NULL, n_inputs, &ephemeral_output_tag) == 0); CHECK(ecount == 19); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag) == 0); CHECK(ecount == 19); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag) == 0); CHECK(ecount == 19); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs, NULL) == 0); CHECK(ecount == 20); /* Check serialize */ serialized_len = sizeof(serialized_proof); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(none, serialized_proof, &serialized_len, &proof) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(none, serialized_proof, &serialized_len, &proof) != 0); CHECK(ecount == 20); serialized_len = sizeof(serialized_proof); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(none, NULL, &serialized_len, &proof) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(none, NULL, &serialized_len, &proof) == 0); CHECK(ecount == 21); serialized_len = sizeof(serialized_proof); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(none, serialized_proof, NULL, &proof) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(none, serialized_proof, NULL, &proof) == 0); CHECK(ecount == 22); serialized_len = sizeof(serialized_proof); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(none, serialized_proof, &serialized_len, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(none, serialized_proof, &serialized_len, NULL) == 0); CHECK(ecount == 23); serialized_len = sizeof(serialized_proof); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(none, serialized_proof, &serialized_len, &proof) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(none, serialized_proof, &serialized_len, &proof) != 0); /* Check parse */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(none, &proof, serialized_proof, serialized_len) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(none, &proof, serialized_proof, serialized_len) != 0); CHECK(ecount == 23); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(none, NULL, serialized_proof, serialized_len) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(none, NULL, serialized_proof, serialized_len) == 0); CHECK(ecount == 24); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(none, &proof, NULL, serialized_len) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(none, &proof, NULL, serialized_len) == 0); CHECK(ecount == 25); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(none, &proof, serialized_proof, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(none, &proof, serialized_proof, 0) == 0); CHECK(ecount == 25); - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_destroy(both); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(both); } static void test_input_selection(size_t n_inputs) { @@ -208,70 +208,70 @@ static void test_input_selection(size_t n_inputs) { size_t result; size_t input_index; size_t try_count = n_inputs * 100; - rustsecp256k1zkp_v0_5_0_surjectionproof proof; - rustsecp256k1zkp_v0_5_0_fixed_asset_tag fixed_input_tags[1000]; + rustsecp256k1zkp_v0_6_0_surjectionproof proof; + rustsecp256k1zkp_v0_6_0_fixed_asset_tag fixed_input_tags[1000]; const size_t max_n_inputs = sizeof(fixed_input_tags) / sizeof(fixed_input_tags[0]) - 1; CHECK(n_inputs < max_n_inputs); - rustsecp256k1zkp_v0_5_0_testrand256(seed); + rustsecp256k1zkp_v0_6_0_testrand256(seed); for (i = 0; i < n_inputs + 1; i++) { - rustsecp256k1zkp_v0_5_0_testrand256(fixed_input_tags[i].data); + rustsecp256k1zkp_v0_6_0_testrand256(fixed_input_tags[i].data); } /* cannot match output when told to use zero keys */ - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], try_count, seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], try_count, seed); CHECK(result == 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, &proof) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size(ctx, &proof) == 34 + (n_inputs + 7) / 8); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, &proof) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size(ctx, &proof) == 34 + (n_inputs + 7) / 8); if (n_inputs > 0) { /* succeed in 100*n_inputs tries (probability of failure e^-100) */ - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 1, &fixed_input_tags[0], try_count, seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 1, &fixed_input_tags[0], try_count, seed); CHECK(result > 0); CHECK(result < n_inputs * 10); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, &proof) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size(ctx, &proof) == 66 + (n_inputs + 7) / 8); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, &proof) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size(ctx, &proof) == 66 + (n_inputs + 7) / 8); CHECK(input_index == 0); } if (n_inputs >= 3) { /* succeed in 10*n_inputs tries (probability of failure e^-10) */ - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[1], try_count, seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[1], try_count, seed); CHECK(result > 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, &proof) == 3); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size(ctx, &proof) == 130 + (n_inputs + 7) / 8); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, &proof) == 3); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size(ctx, &proof) == 130 + (n_inputs + 7) / 8); CHECK(input_index == 1); /* fail, key not found */ - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[n_inputs], try_count, seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[n_inputs], try_count, seed); CHECK(result == 0); /* succeed on first try when told to use all keys */ - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], try_count, seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], try_count, seed); CHECK(result == 1); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs + 1) + (n_inputs + 7) / 8); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs + 1) + (n_inputs + 7) / 8); CHECK(input_index == 0); /* succeed in less than 64 tries when told to use half keys. (probability of failure 2^-64) */ - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs / 2, &fixed_input_tags[0], 64, seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs / 2, &fixed_input_tags[0], 64, seed); CHECK(result > 0); CHECK(result < 64); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs / 2); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs / 2 + 1) + (n_inputs + 7) / 8); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs / 2); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs / 2 + 1) + (n_inputs + 7) / 8); CHECK(input_index == 0); } } /** Runs surjectionproof_initilize multiple times and records the number of times each input was used. */ -static void test_input_selection_distribution_helper(const rustsecp256k1zkp_v0_5_0_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, size_t *used_inputs) { - rustsecp256k1zkp_v0_5_0_surjectionproof proof; +static void test_input_selection_distribution_helper(const rustsecp256k1zkp_v0_6_0_fixed_asset_tag* fixed_input_tags, const size_t n_input_tags, const size_t n_input_tags_to_use, size_t *used_inputs) { + rustsecp256k1zkp_v0_6_0_surjectionproof proof; size_t input_index; size_t i; size_t j; @@ -281,8 +281,8 @@ static void test_input_selection_distribution_helper(const rustsecp256k1zkp_v0_5 used_inputs[i] = 0; } for(j = 0; j < 10000; j++) { - rustsecp256k1zkp_v0_5_0_testrand256(seed); - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, &fixed_input_tags[0], 64, seed); + rustsecp256k1zkp_v0_6_0_testrand256(seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, &fixed_input_tags[0], 64, seed); CHECK(result > 0); for (i = 0; i < n_input_tags; i++) { @@ -300,11 +300,11 @@ static void test_input_selection_distribution(void) { size_t i; size_t n_input_tags_to_use; const size_t n_inputs = 4; - rustsecp256k1zkp_v0_5_0_fixed_asset_tag fixed_input_tags[4]; + rustsecp256k1zkp_v0_6_0_fixed_asset_tag fixed_input_tags[4]; size_t used_inputs[4]; for (i = 0; i < n_inputs; i++) { - rustsecp256k1zkp_v0_5_0_testrand256(fixed_input_tags[i].data); + rustsecp256k1zkp_v0_6_0_testrand256(fixed_input_tags[i].data); } /* If there is one input tag to use, initialize must choose the one equal to fixed_output_tag. */ @@ -370,12 +370,12 @@ static void test_input_selection_distribution(void) { static void test_gen_verify(size_t n_inputs, size_t n_used) { unsigned char seed[32]; - rustsecp256k1zkp_v0_5_0_surjectionproof proof; + rustsecp256k1zkp_v0_6_0_surjectionproof proof; unsigned char serialized_proof[SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES_MAX]; unsigned char serialized_proof_trailing[SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES_MAX + 1]; size_t serialized_len = SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES_MAX; - rustsecp256k1zkp_v0_5_0_fixed_asset_tag fixed_input_tags[1000]; - rustsecp256k1zkp_v0_5_0_generator ephemeral_input_tags[1000]; + rustsecp256k1zkp_v0_6_0_fixed_asset_tag fixed_input_tags[1000]; + rustsecp256k1zkp_v0_6_0_generator ephemeral_input_tags[1000]; unsigned char *input_blinding_key[1000]; const size_t max_n_inputs = sizeof(fixed_input_tags) / sizeof(fixed_input_tags[0]) - 1; size_t try_count = n_inputs * 100; @@ -387,24 +387,24 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) { /* setup */ CHECK(n_used <= n_inputs); CHECK(n_inputs < max_n_inputs); - rustsecp256k1zkp_v0_5_0_testrand256(seed); + rustsecp256k1zkp_v0_6_0_testrand256(seed); key_index = (((size_t) seed[0] << 8) + seed[1]) % n_inputs; for (i = 0; i < n_inputs + 1; i++) { input_blinding_key[i] = malloc(32); - rustsecp256k1zkp_v0_5_0_testrand256(input_blinding_key[i]); + rustsecp256k1zkp_v0_6_0_testrand256(input_blinding_key[i]); /* choose random fixed tag, except that for the output one copy from the key_index */ if (i < n_inputs) { - rustsecp256k1zkp_v0_5_0_testrand256(fixed_input_tags[i].data); + rustsecp256k1zkp_v0_6_0_testrand256(fixed_input_tags[i].data); } else { memcpy(&fixed_input_tags[i], &fixed_input_tags[key_index], sizeof(fixed_input_tags[i])); } - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); } /* test */ - result = rustsecp256k1zkp_v0_5_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_used, &fixed_input_tags[key_index], try_count, seed); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_used, &fixed_input_tags[key_index], try_count, seed); if (n_used == 0) { CHECK(result == 0); return; @@ -412,32 +412,32 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) { CHECK(result > 0); CHECK(input_index == key_index); - result = rustsecp256k1zkp_v0_5_0_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); CHECK(result == 1); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof)); - CHECK(serialized_len == rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size(ctx, &proof)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof)); + CHECK(serialized_len == rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size(ctx, &proof)); CHECK(serialized_len == SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES(n_inputs, n_used)); /* trailing garbage */ memcpy(&serialized_proof_trailing, &serialized_proof, serialized_len); serialized_proof_trailing[serialized_len] = seed[0]; - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, serialized_proof_trailing, serialized_len + 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, serialized_proof_trailing, serialized_len + 1) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len)); - result = rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len)); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); CHECK(result == 1); /* various fail cases */ if (n_inputs > 1) { - result = rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); CHECK(result == 0); /* number of entries in ephemeral_input_tags array is less than proof.n_inputs */ n_inputs -= 1; - result = rustsecp256k1zkp_v0_5_0_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); CHECK(result == 0); - result = rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); CHECK(result == 0); n_inputs += 1; } @@ -445,7 +445,7 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) { for (i = 0; i < n_inputs; i++) { /* flip bit */ proof.used_inputs[i / 8] ^= (1 << (i % 8)); - result = rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); CHECK(result == 0); /* reset the bit */ proof.used_inputs[i / 8] ^= (1 << (i % 8)); @@ -459,65 +459,65 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) { /* check that a proof with empty n_used_inputs is invalid */ static void test_no_used_inputs_verify(void) { - rustsecp256k1zkp_v0_5_0_surjectionproof proof; - rustsecp256k1zkp_v0_5_0_fixed_asset_tag fixed_input_tag; - rustsecp256k1zkp_v0_5_0_fixed_asset_tag fixed_output_tag; - rustsecp256k1zkp_v0_5_0_generator ephemeral_input_tags[1]; + rustsecp256k1zkp_v0_6_0_surjectionproof proof; + rustsecp256k1zkp_v0_6_0_fixed_asset_tag fixed_input_tag; + rustsecp256k1zkp_v0_6_0_fixed_asset_tag fixed_output_tag; + rustsecp256k1zkp_v0_6_0_generator ephemeral_input_tags[1]; size_t n_ephemeral_input_tags = 1; - rustsecp256k1zkp_v0_5_0_generator ephemeral_output_tag; + rustsecp256k1zkp_v0_6_0_generator ephemeral_output_tag; unsigned char blinding_key[32]; - rustsecp256k1zkp_v0_5_0_ge output; - rustsecp256k1zkp_v0_5_0_sha256 sha256_e0; + rustsecp256k1zkp_v0_6_0_ge output; + rustsecp256k1zkp_v0_6_0_sha256 sha256_e0; int result; - /* Create proof that doesn't use inputs. rustsecp256k1zkp_v0_5_0_surjectionproof_initialize + /* Create proof that doesn't use inputs. rustsecp256k1zkp_v0_6_0_surjectionproof_initialize * will not work here since it insists on selecting an input that matches the output. */ proof.n_inputs = 1; memset(proof.used_inputs, 0, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS / 8); /* create different fixed input and output tags */ - rustsecp256k1zkp_v0_5_0_testrand256(fixed_input_tag.data); - rustsecp256k1zkp_v0_5_0_testrand256(fixed_output_tag.data); + rustsecp256k1zkp_v0_6_0_testrand256(fixed_input_tag.data); + rustsecp256k1zkp_v0_6_0_testrand256(fixed_output_tag.data); /* blind fixed output tags with random blinding key */ - rustsecp256k1zkp_v0_5_0_testrand256(blinding_key); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &ephemeral_input_tags[0], fixed_input_tag.data, blinding_key)); - CHECK(rustsecp256k1zkp_v0_5_0_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, blinding_key)); + rustsecp256k1zkp_v0_6_0_testrand256(blinding_key); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &ephemeral_input_tags[0], fixed_input_tag.data, blinding_key)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, blinding_key)); /* create "borromean signature" which is just a hash of metadata (pubkeys, etc) in this case */ - rustsecp256k1zkp_v0_5_0_generator_load(&output, &ephemeral_output_tag); - rustsecp256k1zkp_v0_5_0_surjection_genmessage(proof.data, ephemeral_input_tags, 1, &ephemeral_output_tag); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha256_e0); - rustsecp256k1zkp_v0_5_0_sha256_write(&sha256_e0, proof.data, 32); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha256_e0, proof.data); + rustsecp256k1zkp_v0_6_0_generator_load(&output, &ephemeral_output_tag); + rustsecp256k1zkp_v0_6_0_surjection_genmessage(proof.data, ephemeral_input_tags, 1, &ephemeral_output_tag); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha256_e0); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha256_e0, proof.data, 32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha256_e0, proof.data); - result = rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_ephemeral_input_tags, &ephemeral_output_tag); + result = rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_ephemeral_input_tags, &ephemeral_output_tag); CHECK(result == 0); } void test_bad_serialize(void) { - rustsecp256k1zkp_v0_5_0_surjectionproof proof; + rustsecp256k1zkp_v0_6_0_surjectionproof proof; unsigned char serialized_proof[SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES_MAX]; size_t serialized_len; proof.n_inputs = 0; serialized_len = 2 + 31; /* e0 is one byte too short */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) == 0); } void test_bad_parse(void) { - rustsecp256k1zkp_v0_5_0_surjectionproof proof; + rustsecp256k1zkp_v0_6_0_surjectionproof proof; unsigned char serialized_proof0[] = { 0x00 }; unsigned char serialized_proof1[] = { 0x01, 0x00 }; unsigned char serialized_proof2[33] = { 0 }; /* Missing total input count */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, serialized_proof0, sizeof(serialized_proof0)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, serialized_proof0, sizeof(serialized_proof0)) == 0); /* Missing bitmap */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, serialized_proof1, sizeof(serialized_proof1)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, serialized_proof1, sizeof(serialized_proof1)) == 0); /* Missing e0 value */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0); } void test_fixed_vectors(void) { @@ -613,57 +613,57 @@ void test_fixed_vectors(void) { unsigned char bad[sizeof(total5_used5) + 32] = { 0 }; - rustsecp256k1zkp_v0_5_0_generator input_tags[5]; - rustsecp256k1zkp_v0_5_0_generator output_tag; - rustsecp256k1zkp_v0_5_0_surjectionproof proof; + rustsecp256k1zkp_v0_6_0_generator input_tags[5]; + rustsecp256k1zkp_v0_6_0_generator output_tag; + rustsecp256k1zkp_v0_6_0_surjectionproof proof; - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &input_tags[0], tag0_ser)); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &input_tags[1], tag1_ser)); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &input_tags[2], tag2_ser)); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &input_tags[3], tag3_ser)); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &input_tags[4], tag4_ser)); - CHECK(rustsecp256k1zkp_v0_5_0_generator_parse(ctx, &output_tag, output_tag_ser)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &input_tags[0], tag0_ser)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &input_tags[1], tag1_ser)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &input_tags[2], tag2_ser)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &input_tags[3], tag3_ser)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &input_tags[4], tag4_ser)); + CHECK(rustsecp256k1zkp_v0_6_0_generator_parse(ctx, &output_tag, output_tag_ser)); /* check 1-of-1 */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len)); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, input_tags, 1, &output_tag)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, input_tags, 1, &output_tag)); /* check 1-of-2 */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, total2_used1, total2_used1_len)); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, input_tags, 2, &output_tag)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, total2_used1, total2_used1_len)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, input_tags, 2, &output_tag)); /* check 2-of-3 */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, total3_used2, total3_used2_len)); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, input_tags, 3, &output_tag)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, total3_used2, total3_used2_len)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, input_tags, 3, &output_tag)); /* check 3-of-5 */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, total5_used3, total5_used3_len)); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, total5_used3, total5_used3_len)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag)); /* check 5-of-5 */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, total5_used5, total5_used5_len)); - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, total5_used5, total5_used5_len)); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag)); /* check invalid length fails */ - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, total5_used5, total5_used3_len)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, total5_used5, total5_used3_len)); /* check invalid keys fail */ - CHECK(rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len)); - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, &input_tags[1], 1, &output_tag)); - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_verify(ctx, &proof, input_tags, 1, &input_tags[0])); + CHECK(rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, &input_tags[1], 1, &output_tag)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_verify(ctx, &proof, input_tags, 1, &input_tags[0])); /* Try setting 6 bits on the total5-used-5; check that parsing fails */ memcpy(bad, total5_used5, total5_used5_len); bad[2] = 0x3f; /* 0x1f -> 0x3f */ - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); /* Correct for the length */ - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32)); /* Alternately just turn off one of the "legit" bits */ bad[2] = 0x37; /* 0x1f -> 0x37 */ - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); /* Similarly try setting 4 bits on the total5-used-3, with one bit out of range */ memcpy(bad, total5_used3, total5_used3_len); bad[2] = 0x35; /* 0x15 -> 0x35 */ - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32)); bad[2] = 0x34; /* 0x15 -> 0x34 */ - CHECK(!rustsecp256k1zkp_v0_5_0_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); + CHECK(!rustsecp256k1zkp_v0_6_0_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); } void run_surjection_tests(void) { diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/Makefile.am.include b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/Makefile.am.include index 4e01f2b3..d7f7288f 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/Makefile.am.include +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1zkp_v0_5_0_whitelist.h +include_HEADERS += include/rustsecp256k1zkp_v0_6_0_whitelist.h noinst_HEADERS += src/modules/whitelist/whitelist_impl.h noinst_HEADERS += src/modules/whitelist/main_impl.h noinst_HEADERS += src/modules/whitelist/tests_impl.h diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/main_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/main_impl.h index d6cd5523..2ae021f4 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/main_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/main_impl.h @@ -12,21 +12,21 @@ #define MAX_KEYS SECP256K1_WHITELIST_MAX_N_KEYS /* shorter alias */ -int rustsecp256k1zkp_v0_5_0_whitelist_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_whitelist_signature *sig, const rustsecp256k1zkp_v0_5_0_pubkey *online_pubkeys, const rustsecp256k1zkp_v0_5_0_pubkey *offline_pubkeys, const size_t n_keys, const rustsecp256k1zkp_v0_5_0_pubkey *sub_pubkey, const unsigned char *online_seckey, const unsigned char *summed_seckey, const size_t index, rustsecp256k1zkp_v0_5_0_nonce_function noncefp, const void *noncedata) { - rustsecp256k1zkp_v0_5_0_gej pubs[MAX_KEYS]; - rustsecp256k1zkp_v0_5_0_scalar s[MAX_KEYS]; - rustsecp256k1zkp_v0_5_0_scalar sec, non; +int rustsecp256k1zkp_v0_6_0_whitelist_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_whitelist_signature *sig, const rustsecp256k1zkp_v0_6_0_pubkey *online_pubkeys, const rustsecp256k1zkp_v0_6_0_pubkey *offline_pubkeys, const size_t n_keys, const rustsecp256k1zkp_v0_6_0_pubkey *sub_pubkey, const unsigned char *online_seckey, const unsigned char *summed_seckey, const size_t index, rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void *noncedata) { + rustsecp256k1zkp_v0_6_0_gej pubs[MAX_KEYS]; + rustsecp256k1zkp_v0_6_0_scalar s[MAX_KEYS]; + rustsecp256k1zkp_v0_6_0_scalar sec, non; unsigned char msg32[32]; int ret; if (noncefp == NULL) { - noncefp = rustsecp256k1zkp_v0_5_0_nonce_function_default; + noncefp = rustsecp256k1zkp_v0_6_0_nonce_function_default; } /* Sanity checks */ VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(sig != NULL); ARG_CHECK(online_pubkeys != NULL); ARG_CHECK(offline_pubkeys != NULL); @@ -37,11 +37,11 @@ int rustsecp256k1zkp_v0_5_0_whitelist_sign(const rustsecp256k1zkp_v0_5_0_context ARG_CHECK(index < n_keys); /* Compute pubkeys: online_pubkey + tweaked(offline_pubkey + address), and message */ - ret = rustsecp256k1zkp_v0_5_0_whitelist_compute_keys_and_message(ctx, msg32, pubs, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey); + ret = rustsecp256k1zkp_v0_6_0_whitelist_compute_keys_and_message(ctx, msg32, pubs, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey); /* Compute signing key: online_seckey + tweaked(summed_seckey) */ if (ret) { - ret = rustsecp256k1zkp_v0_5_0_whitelist_compute_tweaked_privkey(ctx, &sec, online_seckey, summed_seckey); + ret = rustsecp256k1zkp_v0_6_0_whitelist_compute_tweaked_privkey(ctx, &sec, online_seckey, summed_seckey); } /* Compute nonce and random s-values */ if (ret) { @@ -49,7 +49,7 @@ int rustsecp256k1zkp_v0_5_0_whitelist_sign(const rustsecp256k1zkp_v0_5_0_context unsigned int count = 0; int overflow = 0; - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey32, &sec); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey32, &sec); while (1) { size_t i; unsigned char nonce32[32]; @@ -58,9 +58,9 @@ int rustsecp256k1zkp_v0_5_0_whitelist_sign(const rustsecp256k1zkp_v0_5_0_context if (!ret) { break; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&non, nonce32, &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&non, nonce32, &overflow); memset(nonce32, 0, 32); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&non)) { + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&non)) { count++; continue; } @@ -72,10 +72,10 @@ int rustsecp256k1zkp_v0_5_0_whitelist_sign(const rustsecp256k1zkp_v0_5_0_context if (!ret) { break; } - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s[i], &sig->data[32 * (i + 1)], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s[i], &sig->data[32 * (i + 1)], &overflow); msg32[0] ^= i + 1; msg32[1] ^= (i + 1) / 0x100; - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s[i])) { + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s[i])) { count++; done = 0; break; @@ -90,24 +90,24 @@ int rustsecp256k1zkp_v0_5_0_whitelist_sign(const rustsecp256k1zkp_v0_5_0_context /* Actually sign */ if (ret) { sig->n_keys = n_keys; - ret = rustsecp256k1zkp_v0_5_0_borromean_sign(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, &sig->data[0], s, pubs, &non, &sec, &n_keys, &index, 1, msg32, 32); + ret = rustsecp256k1zkp_v0_6_0_borromean_sign(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, &sig->data[0], s, pubs, &non, &sec, &n_keys, &index, 1, msg32, 32); /* Signing will change s[index], so update in the sig structure */ - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig->data[32 * (index + 1)], &s[index]); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig->data[32 * (index + 1)], &s[index]); } - rustsecp256k1zkp_v0_5_0_scalar_clear(&non); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&non); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } -int rustsecp256k1zkp_v0_5_0_whitelist_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_whitelist_signature *sig, const rustsecp256k1zkp_v0_5_0_pubkey *online_pubkeys, const rustsecp256k1zkp_v0_5_0_pubkey *offline_pubkeys, const size_t n_keys, const rustsecp256k1zkp_v0_5_0_pubkey *sub_pubkey) { - rustsecp256k1zkp_v0_5_0_scalar s[MAX_KEYS]; - rustsecp256k1zkp_v0_5_0_gej pubs[MAX_KEYS]; +int rustsecp256k1zkp_v0_6_0_whitelist_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_whitelist_signature *sig, const rustsecp256k1zkp_v0_6_0_pubkey *online_pubkeys, const rustsecp256k1zkp_v0_6_0_pubkey *offline_pubkeys, const size_t n_keys, const rustsecp256k1zkp_v0_6_0_pubkey *sub_pubkey) { + rustsecp256k1zkp_v0_6_0_scalar s[MAX_KEYS]; + rustsecp256k1zkp_v0_6_0_gej pubs[MAX_KEYS]; unsigned char msg32[32]; size_t i; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(sig != NULL); ARG_CHECK(online_pubkeys != NULL); ARG_CHECK(offline_pubkeys != NULL); @@ -118,25 +118,25 @@ int rustsecp256k1zkp_v0_5_0_whitelist_verify(const rustsecp256k1zkp_v0_5_0_conte } for (i = 0; i < sig->n_keys; i++) { int overflow = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s[i], &sig->data[32 * (i + 1)], &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s[i])) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s[i], &sig->data[32 * (i + 1)], &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&s[i])) { return 0; } } /* Compute pubkeys: online_pubkey + tweaked(offline_pubkey + address), and message */ - if (!rustsecp256k1zkp_v0_5_0_whitelist_compute_keys_and_message(ctx, msg32, pubs, online_pubkeys, offline_pubkeys, sig->n_keys, sub_pubkey)) { + if (!rustsecp256k1zkp_v0_6_0_whitelist_compute_keys_and_message(ctx, msg32, pubs, online_pubkeys, offline_pubkeys, sig->n_keys, sub_pubkey)) { return 0; } /* Do verification */ - return rustsecp256k1zkp_v0_5_0_borromean_verify(&ctx->ecmult_ctx, NULL, &sig->data[0], s, pubs, &sig->n_keys, 1, msg32, 32); + return rustsecp256k1zkp_v0_6_0_borromean_verify(&ctx->ecmult_ctx, NULL, &sig->data[0], s, pubs, &sig->n_keys, 1, msg32, 32); } -size_t rustsecp256k1zkp_v0_5_0_whitelist_signature_n_keys(const rustsecp256k1zkp_v0_5_0_whitelist_signature *sig) { +size_t rustsecp256k1zkp_v0_6_0_whitelist_signature_n_keys(const rustsecp256k1zkp_v0_6_0_whitelist_signature *sig) { return sig->n_keys; } -int rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_whitelist_signature *sig, const unsigned char *input, size_t input_len) { +int rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_whitelist_signature *sig, const unsigned char *input, size_t input_len) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(input != NULL); @@ -154,7 +154,7 @@ int rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(const rustsecp256k1zkp_v0_ return 1; } -int rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, size_t *output_len, const rustsecp256k1zkp_v0_5_0_whitelist_signature *sig) { +int rustsecp256k1zkp_v0_6_0_whitelist_signature_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *output_len, const rustsecp256k1zkp_v0_6_0_whitelist_signature *sig) { VERIFY_CHECK(ctx != NULL); ARG_CHECK(output != NULL); ARG_CHECK(output_len != NULL); diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/tests_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/tests_impl.h index 1bfc306b..6080084d 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/tests_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/tests_impl.h @@ -12,74 +12,74 @@ void test_whitelist_end_to_end(const size_t n_keys) { unsigned char **online_seckey = (unsigned char **) malloc(n_keys * sizeof(*online_seckey)); unsigned char **summed_seckey = (unsigned char **) malloc(n_keys * sizeof(*summed_seckey)); - rustsecp256k1zkp_v0_5_0_pubkey *online_pubkeys = (rustsecp256k1zkp_v0_5_0_pubkey *) malloc(n_keys * sizeof(*online_pubkeys)); - rustsecp256k1zkp_v0_5_0_pubkey *offline_pubkeys = (rustsecp256k1zkp_v0_5_0_pubkey *) malloc(n_keys * sizeof(*offline_pubkeys)); + rustsecp256k1zkp_v0_6_0_pubkey *online_pubkeys = (rustsecp256k1zkp_v0_6_0_pubkey *) malloc(n_keys * sizeof(*online_pubkeys)); + rustsecp256k1zkp_v0_6_0_pubkey *offline_pubkeys = (rustsecp256k1zkp_v0_6_0_pubkey *) malloc(n_keys * sizeof(*offline_pubkeys)); - rustsecp256k1zkp_v0_5_0_scalar ssub; + rustsecp256k1zkp_v0_6_0_scalar ssub; unsigned char csub[32]; - rustsecp256k1zkp_v0_5_0_pubkey sub_pubkey; + rustsecp256k1zkp_v0_6_0_pubkey sub_pubkey; /* Generate random keys */ size_t i; /* Start with subkey */ random_scalar_order_test(&ssub); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(csub, &ssub); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, csub) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &sub_pubkey, csub) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(csub, &ssub); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, csub) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &sub_pubkey, csub) == 1); /* Then offline and online whitelist keys */ for (i = 0; i < n_keys; i++) { - rustsecp256k1zkp_v0_5_0_scalar son, soff; + rustsecp256k1zkp_v0_6_0_scalar son, soff; online_seckey[i] = (unsigned char *) malloc(32); summed_seckey[i] = (unsigned char *) malloc(32); /* Create two keys */ random_scalar_order_test(&son); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(online_seckey[i], &son); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, online_seckey[i]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &online_pubkeys[i], online_seckey[i]) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(online_seckey[i], &son); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, online_seckey[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &online_pubkeys[i], online_seckey[i]) == 1); random_scalar_order_test(&soff); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(summed_seckey[i], &soff); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, summed_seckey[i]) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &offline_pubkeys[i], summed_seckey[i]) == 1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(summed_seckey[i], &soff); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, summed_seckey[i]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &offline_pubkeys[i], summed_seckey[i]) == 1); /* Make summed_seckey correspond to the sum of offline_pubkey and sub_pubkey */ - rustsecp256k1zkp_v0_5_0_scalar_add(&soff, &soff, &ssub); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(summed_seckey[i], &soff); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, summed_seckey[i]) == 1); + rustsecp256k1zkp_v0_6_0_scalar_add(&soff, &soff, &ssub); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(summed_seckey[i], &soff); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, summed_seckey[i]) == 1); } /* Sign/verify with each one */ for (i = 0; i < n_keys; i++) { unsigned char serialized[32 + 4 + 32 * SECP256K1_WHITELIST_MAX_N_KEYS] = {0}; size_t slen = sizeof(serialized); - rustsecp256k1zkp_v0_5_0_whitelist_signature sig; - rustsecp256k1zkp_v0_5_0_whitelist_signature sig1; + rustsecp256k1zkp_v0_6_0_whitelist_signature sig; + rustsecp256k1zkp_v0_6_0_whitelist_signature sig1; - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_sign(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, &sub_pubkey, online_seckey[i], summed_seckey[i], i, NULL, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_verify(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, &sub_pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_sign(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, &sub_pubkey, online_seckey[i], summed_seckey[i], i, NULL, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_verify(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, &sub_pubkey) == 1); /* Check that exchanging keys causes a failure */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, &sub_pubkey) != 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, &sub_pubkey) != 1); /* Serialization round trip */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize(ctx, serialized, &slen, &sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_serialize(ctx, serialized, &slen, &sig) == 1); CHECK(slen == 33 + 32 * n_keys); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig1, serialized, slen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig1, serialized, slen) == 1); /* (Check various bad-length conditions) */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig1, serialized, slen + 32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig1, serialized, slen + 1) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig1, serialized, slen - 1) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig1, serialized, 0) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_verify(ctx, &sig1, online_pubkeys, offline_pubkeys, n_keys, &sub_pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_verify(ctx, &sig1, offline_pubkeys, online_pubkeys, n_keys, &sub_pubkey) != 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig1, serialized, slen + 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig1, serialized, slen + 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig1, serialized, slen - 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig1, serialized, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_verify(ctx, &sig1, online_pubkeys, offline_pubkeys, n_keys, &sub_pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_verify(ctx, &sig1, offline_pubkeys, online_pubkeys, n_keys, &sub_pubkey) != 1); /* Test n_keys */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_n_keys(&sig) == n_keys); - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_n_keys(&sig1) == n_keys); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_n_keys(&sig) == n_keys); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_n_keys(&sig1) == n_keys); /* Test bad number of keys in signature */ sig.n_keys = n_keys + 1; - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, &sub_pubkey) != 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, &sub_pubkey) != 1); sig.n_keys = n_keys; } @@ -94,7 +94,7 @@ void test_whitelist_end_to_end(const size_t n_keys) { } void test_whitelist_bad_parse(void) { - rustsecp256k1zkp_v0_5_0_whitelist_signature sig; + rustsecp256k1zkp_v0_6_0_whitelist_signature sig; const unsigned char serialized0[] = { 1+32*(0+1) }; const unsigned char serialized1[] = { @@ -113,11 +113,11 @@ void test_whitelist_bad_parse(void) { }; /* Empty input */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig, serialized0, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig, serialized0, 0) == 0); /* Misses one byte of e0 */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig, serialized1, sizeof(serialized1)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig, serialized1, sizeof(serialized1)) == 0); /* Enough bytes for e0, but there is no s value */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig, serialized2, sizeof(serialized2)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig, serialized2, sizeof(serialized2)) == 0); } void test_whitelist_bad_serialize(void) { @@ -129,12 +129,12 @@ void test_whitelist_bad_serialize(void) { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; size_t serialized_len; - rustsecp256k1zkp_v0_5_0_whitelist_signature sig; + rustsecp256k1zkp_v0_6_0_whitelist_signature sig; - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_parse(ctx, &sig, serialized, sizeof(serialized)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_parse(ctx, &sig, serialized, sizeof(serialized)) == 1); serialized_len = sizeof(serialized) - 1; /* Output buffer is one byte too short */ - CHECK(rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize(ctx, serialized, &serialized_len, &sig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_whitelist_signature_serialize(ctx, serialized, &serialized_len, &sig) == 0); } void run_whitelist_tests(void) { diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/whitelist_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/whitelist_impl.h index d3424fbb..f7eace95 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/whitelist_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/modules/whitelist/whitelist_impl.h @@ -7,75 +7,75 @@ #ifndef _SECP256K1_WHITELIST_IMPL_H_ #define _SECP256K1_WHITELIST_IMPL_H_ -static int rustsecp256k1zkp_v0_5_0_whitelist_hash_pubkey(rustsecp256k1zkp_v0_5_0_scalar* output, rustsecp256k1zkp_v0_5_0_gej* pubkey) { +static int rustsecp256k1zkp_v0_6_0_whitelist_hash_pubkey(rustsecp256k1zkp_v0_6_0_scalar* output, rustsecp256k1zkp_v0_6_0_gej* pubkey) { unsigned char h[32]; unsigned char c[33]; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; int overflow = 0; size_t size = 33; - rustsecp256k1zkp_v0_5_0_ge ge; + rustsecp256k1zkp_v0_6_0_ge ge; - rustsecp256k1zkp_v0_5_0_ge_set_gej(&ge, pubkey); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&ge, pubkey); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&ge, c, &size, SECP256K1_EC_COMPRESSED)) { + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&ge, c, &size, SECP256K1_EC_COMPRESSED)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, c, size); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, h); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, c, size); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, h); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(output, h, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(output)) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(output, h, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(output)) { /* This return path is mathematically impossible to hit */ - rustsecp256k1zkp_v0_5_0_scalar_clear(output); + rustsecp256k1zkp_v0_6_0_scalar_clear(output); return 0; } return 1; } -static int rustsecp256k1zkp_v0_5_0_whitelist_tweak_pubkey(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_gej* pub_tweaked) { - rustsecp256k1zkp_v0_5_0_scalar tweak; - rustsecp256k1zkp_v0_5_0_scalar zero; +static int rustsecp256k1zkp_v0_6_0_whitelist_tweak_pubkey(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_gej* pub_tweaked) { + rustsecp256k1zkp_v0_6_0_scalar tweak; + rustsecp256k1zkp_v0_6_0_scalar zero; int ret; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&zero, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&zero, 0); - ret = rustsecp256k1zkp_v0_5_0_whitelist_hash_pubkey(&tweak, pub_tweaked); + ret = rustsecp256k1zkp_v0_6_0_whitelist_hash_pubkey(&tweak, pub_tweaked); if (ret) { - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, pub_tweaked, pub_tweaked, &tweak, &zero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, pub_tweaked, pub_tweaked, &tweak, &zero); } return ret; } -static int rustsecp256k1zkp_v0_5_0_whitelist_compute_tweaked_privkey(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar* skey, const unsigned char *online_key, const unsigned char *summed_key) { - rustsecp256k1zkp_v0_5_0_scalar tweak; +static int rustsecp256k1zkp_v0_6_0_whitelist_compute_tweaked_privkey(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar* skey, const unsigned char *online_key, const unsigned char *summed_key) { + rustsecp256k1zkp_v0_6_0_scalar tweak; int ret = 1; int overflow = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(skey, summed_key, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(skey)) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(skey, summed_key, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(skey)) { ret = 0; } if (ret) { - rustsecp256k1zkp_v0_5_0_gej pkeyj; - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pkeyj, skey); - ret = rustsecp256k1zkp_v0_5_0_whitelist_hash_pubkey(&tweak, &pkeyj); + rustsecp256k1zkp_v0_6_0_gej pkeyj; + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pkeyj, skey); + ret = rustsecp256k1zkp_v0_6_0_whitelist_hash_pubkey(&tweak, &pkeyj); } if (ret) { - rustsecp256k1zkp_v0_5_0_scalar sonline; - rustsecp256k1zkp_v0_5_0_scalar_mul(skey, skey, &tweak); + rustsecp256k1zkp_v0_6_0_scalar sonline; + rustsecp256k1zkp_v0_6_0_scalar_mul(skey, skey, &tweak); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sonline, online_key, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&sonline)) { + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sonline, online_key, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(&sonline)) { ret = 0; } - rustsecp256k1zkp_v0_5_0_scalar_add(skey, skey, &sonline); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sonline); - rustsecp256k1zkp_v0_5_0_scalar_clear(&tweak); + rustsecp256k1zkp_v0_6_0_scalar_add(skey, skey, &sonline); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sonline); + rustsecp256k1zkp_v0_6_0_scalar_clear(&tweak); } if (!ret) { - rustsecp256k1zkp_v0_5_0_scalar_clear(skey); + rustsecp256k1zkp_v0_6_0_scalar_clear(skey); } return ret; } @@ -83,45 +83,45 @@ static int rustsecp256k1zkp_v0_5_0_whitelist_compute_tweaked_privkey(const rusts /* Takes a list of pubkeys and combines them to form the public keys needed * for the ring signature; also produce a commitment to every one that will * be our "message". */ -static int rustsecp256k1zkp_v0_5_0_whitelist_compute_keys_and_message(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *msg32, rustsecp256k1zkp_v0_5_0_gej *keys, const rustsecp256k1zkp_v0_5_0_pubkey *online_pubkeys, const rustsecp256k1zkp_v0_5_0_pubkey *offline_pubkeys, const int n_keys, const rustsecp256k1zkp_v0_5_0_pubkey *sub_pubkey) { +static int rustsecp256k1zkp_v0_6_0_whitelist_compute_keys_and_message(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *msg32, rustsecp256k1zkp_v0_6_0_gej *keys, const rustsecp256k1zkp_v0_6_0_pubkey *online_pubkeys, const rustsecp256k1zkp_v0_6_0_pubkey *offline_pubkeys, const int n_keys, const rustsecp256k1zkp_v0_6_0_pubkey *sub_pubkey) { unsigned char c[33]; size_t size = 33; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; int i; - rustsecp256k1zkp_v0_5_0_ge subkey_ge; + rustsecp256k1zkp_v0_6_0_ge subkey_ge; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &subkey_ge, sub_pubkey); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &subkey_ge, sub_pubkey); /* commit to sub-key */ - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&subkey_ge, c, &size, SECP256K1_EC_COMPRESSED)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&subkey_ge, c, &size, SECP256K1_EC_COMPRESSED)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, c, size); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, c, size); for (i = 0; i < n_keys; i++) { - rustsecp256k1zkp_v0_5_0_ge offline_ge; - rustsecp256k1zkp_v0_5_0_ge online_ge; - rustsecp256k1zkp_v0_5_0_gej tweaked_gej; + rustsecp256k1zkp_v0_6_0_ge offline_ge; + rustsecp256k1zkp_v0_6_0_ge online_ge; + rustsecp256k1zkp_v0_6_0_gej tweaked_gej; /* commit to fixed keys */ - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &offline_ge, &offline_pubkeys[i]); - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&offline_ge, c, &size, SECP256K1_EC_COMPRESSED)) { + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &offline_ge, &offline_pubkeys[i]); + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&offline_ge, c, &size, SECP256K1_EC_COMPRESSED)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, c, size); - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &online_ge, &online_pubkeys[i]); - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&online_ge, c, &size, SECP256K1_EC_COMPRESSED)) { + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, c, size); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &online_ge, &online_pubkeys[i]); + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&online_ge, c, &size, SECP256K1_EC_COMPRESSED)) { return 0; } - rustsecp256k1zkp_v0_5_0_sha256_write(&sha, c, size); + rustsecp256k1zkp_v0_6_0_sha256_write(&sha, c, size); /* compute tweaked keys */ - rustsecp256k1zkp_v0_5_0_gej_set_ge(&tweaked_gej, &offline_ge); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&tweaked_gej, &tweaked_gej, &subkey_ge, NULL); - rustsecp256k1zkp_v0_5_0_whitelist_tweak_pubkey(ctx, &tweaked_gej); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&keys[i], &tweaked_gej, &online_ge, NULL); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&tweaked_gej, &offline_ge); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&tweaked_gej, &tweaked_gej, &subkey_ge, NULL); + rustsecp256k1zkp_v0_6_0_whitelist_tweak_pubkey(ctx, &tweaked_gej); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&keys[i], &tweaked_gej, &online_ge, NULL); } - rustsecp256k1zkp_v0_5_0_sha256_finalize(&sha, msg32); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&sha, msg32); return 1; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/num.h b/secp256k1-zkp-sys/depend/secp256k1/src/num.h deleted file mode 100644 index 99d02953..00000000 --- a/secp256k1-zkp-sys/depend/secp256k1/src/num.h +++ /dev/null @@ -1,74 +0,0 @@ -/*********************************************************************** - * Copyright (c) 2013, 2014 Pieter Wuille * - * Distributed under the MIT software license, see the accompanying * - * file COPYING or https://www.opensource.org/licenses/mit-license.php.* - ***********************************************************************/ - -#ifndef SECP256K1_NUM_H -#define SECP256K1_NUM_H - -#ifndef USE_NUM_NONE - -#if defined HAVE_CONFIG_H -#include "libsecp256k1-config.h" -#endif - -#if defined(USE_NUM_GMP) -#include "num_gmp.h" -#else -#error "Please select num implementation" -#endif - -/** Copy a number. */ -static void rustsecp256k1zkp_v0_5_0_num_copy(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a); - -/** Convert a number's absolute value to a binary big-endian string. - * There must be enough place. */ -static void rustsecp256k1zkp_v0_5_0_num_get_bin(unsigned char *r, unsigned int rlen, const rustsecp256k1zkp_v0_5_0_num *a); - -/** Set a number to the value of a binary big-endian string. */ -static void rustsecp256k1zkp_v0_5_0_num_set_bin(rustsecp256k1zkp_v0_5_0_num *r, const unsigned char *a, unsigned int alen); - -/** Compute a modular inverse. The input must be less than the modulus. */ -static void rustsecp256k1zkp_v0_5_0_num_mod_inverse(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *m); - -/** Compute the jacobi symbol (a|b). b must be positive and odd. */ -static int rustsecp256k1zkp_v0_5_0_num_jacobi(const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b); - -/** Compare the absolute value of two numbers. */ -static int rustsecp256k1zkp_v0_5_0_num_cmp(const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b); - -/** Test whether two number are equal (including sign). */ -static int rustsecp256k1zkp_v0_5_0_num_eq(const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b); - -/** Add two (signed) numbers. */ -static void rustsecp256k1zkp_v0_5_0_num_add(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b); - -/** Subtract two (signed) numbers. */ -static void rustsecp256k1zkp_v0_5_0_num_sub(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b); - -/** Multiply two (signed) numbers. */ -static void rustsecp256k1zkp_v0_5_0_num_mul(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b); - -/** Replace a number by its remainder modulo m. M's sign is ignored. The result is a number between 0 and m-1, - even if r was negative. */ -static void rustsecp256k1zkp_v0_5_0_num_mod(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *m); - -/** Right-shift the passed number by bits bits. */ -static void rustsecp256k1zkp_v0_5_0_num_shift(rustsecp256k1zkp_v0_5_0_num *r, int bits); - -/** Check whether a number is zero. */ -static int rustsecp256k1zkp_v0_5_0_num_is_zero(const rustsecp256k1zkp_v0_5_0_num *a); - -/** Check whether a number is one. */ -static int rustsecp256k1zkp_v0_5_0_num_is_one(const rustsecp256k1zkp_v0_5_0_num *a); - -/** Check whether a number is strictly negative. */ -static int rustsecp256k1zkp_v0_5_0_num_is_neg(const rustsecp256k1zkp_v0_5_0_num *a); - -/** Change a number's sign. */ -static void rustsecp256k1zkp_v0_5_0_num_negate(rustsecp256k1zkp_v0_5_0_num *r); - -#endif - -#endif /* SECP256K1_NUM_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/num_gmp.h b/secp256k1-zkp-sys/depend/secp256k1/src/num_gmp.h deleted file mode 100644 index 7506e599..00000000 --- a/secp256k1-zkp-sys/depend/secp256k1/src/num_gmp.h +++ /dev/null @@ -1,20 +0,0 @@ -/*********************************************************************** - * Copyright (c) 2013, 2014 Pieter Wuille * - * Distributed under the MIT software license, see the accompanying * - * file COPYING or https://www.opensource.org/licenses/mit-license.php.* - ***********************************************************************/ - -#ifndef SECP256K1_NUM_REPR_H -#define SECP256K1_NUM_REPR_H - -#include - -#define NUM_LIMBS ((256+GMP_NUMB_BITS-1)/GMP_NUMB_BITS) - -typedef struct { - mp_limb_t data[2*NUM_LIMBS]; - int neg; - int limbs; -} rustsecp256k1zkp_v0_5_0_num; - -#endif /* SECP256K1_NUM_REPR_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/num_gmp_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/num_gmp_impl.h deleted file mode 100644 index d3045bed..00000000 --- a/secp256k1-zkp-sys/depend/secp256k1/src/num_gmp_impl.h +++ /dev/null @@ -1,288 +0,0 @@ -/*********************************************************************** - * Copyright (c) 2013, 2014 Pieter Wuille * - * Distributed under the MIT software license, see the accompanying * - * file COPYING or https://www.opensource.org/licenses/mit-license.php.* - ***********************************************************************/ - -#ifndef SECP256K1_NUM_REPR_IMPL_H -#define SECP256K1_NUM_REPR_IMPL_H - -#include -#include -#include - -#include "util.h" -#include "num.h" - -#ifdef VERIFY -static void rustsecp256k1zkp_v0_5_0_num_sanity(const rustsecp256k1zkp_v0_5_0_num *a) { - VERIFY_CHECK(a->limbs == 1 || (a->limbs > 1 && a->data[a->limbs-1] != 0)); -} -#else -#define rustsecp256k1zkp_v0_5_0_num_sanity(a) do { } while(0) -#endif - -static void rustsecp256k1zkp_v0_5_0_num_copy(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a) { - *r = *a; -} - -static void rustsecp256k1zkp_v0_5_0_num_get_bin(unsigned char *r, unsigned int rlen, const rustsecp256k1zkp_v0_5_0_num *a) { - unsigned char tmp[65]; - int len = 0; - int shift = 0; - if (a->limbs>1 || a->data[0] != 0) { - len = mpn_get_str(tmp, 256, (mp_limb_t*)a->data, a->limbs); - } - while (shift < len && tmp[shift] == 0) shift++; - VERIFY_CHECK(len-shift <= (int)rlen); - memset(r, 0, rlen - len + shift); - if (len > shift) { - memcpy(r + rlen - len + shift, tmp + shift, len - shift); - } - memset(tmp, 0, sizeof(tmp)); -} - -static void rustsecp256k1zkp_v0_5_0_num_set_bin(rustsecp256k1zkp_v0_5_0_num *r, const unsigned char *a, unsigned int alen) { - int len; - VERIFY_CHECK(alen > 0); - VERIFY_CHECK(alen <= 64); - len = mpn_set_str(r->data, a, alen, 256); - if (len == 0) { - r->data[0] = 0; - len = 1; - } - VERIFY_CHECK(len <= NUM_LIMBS*2); - r->limbs = len; - r->neg = 0; - while (r->limbs > 1 && r->data[r->limbs-1]==0) { - r->limbs--; - } -} - -static void rustsecp256k1zkp_v0_5_0_num_add_abs(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - mp_limb_t c = mpn_add(r->data, a->data, a->limbs, b->data, b->limbs); - r->limbs = a->limbs; - if (c != 0) { - VERIFY_CHECK(r->limbs < 2*NUM_LIMBS); - r->data[r->limbs++] = c; - } -} - -static void rustsecp256k1zkp_v0_5_0_num_sub_abs(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - mp_limb_t c = mpn_sub(r->data, a->data, a->limbs, b->data, b->limbs); - (void)c; - VERIFY_CHECK(c == 0); - r->limbs = a->limbs; - while (r->limbs > 1 && r->data[r->limbs-1]==0) { - r->limbs--; - } -} - -static void rustsecp256k1zkp_v0_5_0_num_mod(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *m) { - rustsecp256k1zkp_v0_5_0_num_sanity(r); - rustsecp256k1zkp_v0_5_0_num_sanity(m); - - if (r->limbs >= m->limbs) { - mp_limb_t t[2*NUM_LIMBS]; - mpn_tdiv_qr(t, r->data, 0, r->data, r->limbs, m->data, m->limbs); - memset(t, 0, sizeof(t)); - r->limbs = m->limbs; - while (r->limbs > 1 && r->data[r->limbs-1]==0) { - r->limbs--; - } - } - - if (r->neg && (r->limbs > 1 || r->data[0] != 0)) { - rustsecp256k1zkp_v0_5_0_num_sub_abs(r, m, r); - r->neg = 0; - } -} - -static void rustsecp256k1zkp_v0_5_0_num_mod_inverse(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *m) { - int i; - mp_limb_t g[NUM_LIMBS+1]; - mp_limb_t u[NUM_LIMBS+1]; - mp_limb_t v[NUM_LIMBS+1]; - mp_size_t sn; - mp_size_t gn; - rustsecp256k1zkp_v0_5_0_num_sanity(a); - rustsecp256k1zkp_v0_5_0_num_sanity(m); - - /** mpn_gcdext computes: (G,S) = gcdext(U,V), where - * * G = gcd(U,V) - * * G = U*S + V*T - * * U has equal or more limbs than V, and V has no padding - * If we set U to be (a padded version of) a, and V = m: - * G = a*S + m*T - * G = a*S mod m - * Assuming G=1: - * S = 1/a mod m - */ - VERIFY_CHECK(m->limbs <= NUM_LIMBS); - VERIFY_CHECK(m->data[m->limbs-1] != 0); - for (i = 0; i < m->limbs; i++) { - u[i] = (i < a->limbs) ? a->data[i] : 0; - v[i] = m->data[i]; - } - sn = NUM_LIMBS+1; - gn = mpn_gcdext(g, r->data, &sn, u, m->limbs, v, m->limbs); - (void)gn; - VERIFY_CHECK(gn == 1); - VERIFY_CHECK(g[0] == 1); - r->neg = a->neg ^ m->neg; - if (sn < 0) { - mpn_sub(r->data, m->data, m->limbs, r->data, -sn); - r->limbs = m->limbs; - while (r->limbs > 1 && r->data[r->limbs-1]==0) { - r->limbs--; - } - } else { - r->limbs = sn; - } - memset(g, 0, sizeof(g)); - memset(u, 0, sizeof(u)); - memset(v, 0, sizeof(v)); -} - -static int rustsecp256k1zkp_v0_5_0_num_jacobi(const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - int ret; - mpz_t ga, gb; - rustsecp256k1zkp_v0_5_0_num_sanity(a); - rustsecp256k1zkp_v0_5_0_num_sanity(b); - VERIFY_CHECK(!b->neg && (b->limbs > 0) && (b->data[0] & 1)); - - mpz_inits(ga, gb, NULL); - - mpz_import(gb, b->limbs, -1, sizeof(mp_limb_t), 0, 0, b->data); - mpz_import(ga, a->limbs, -1, sizeof(mp_limb_t), 0, 0, a->data); - if (a->neg) { - mpz_neg(ga, ga); - } - - ret = mpz_jacobi(ga, gb); - - mpz_clears(ga, gb, NULL); - - return ret; -} - -static int rustsecp256k1zkp_v0_5_0_num_is_one(const rustsecp256k1zkp_v0_5_0_num *a) { - return (a->limbs == 1 && a->data[0] == 1); -} - -static int rustsecp256k1zkp_v0_5_0_num_is_zero(const rustsecp256k1zkp_v0_5_0_num *a) { - return (a->limbs == 1 && a->data[0] == 0); -} - -static int rustsecp256k1zkp_v0_5_0_num_is_neg(const rustsecp256k1zkp_v0_5_0_num *a) { - return (a->limbs > 1 || a->data[0] != 0) && a->neg; -} - -static int rustsecp256k1zkp_v0_5_0_num_cmp(const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - if (a->limbs > b->limbs) { - return 1; - } - if (a->limbs < b->limbs) { - return -1; - } - return mpn_cmp(a->data, b->data, a->limbs); -} - -static int rustsecp256k1zkp_v0_5_0_num_eq(const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - if (a->limbs > b->limbs) { - return 0; - } - if (a->limbs < b->limbs) { - return 0; - } - if ((a->neg && !rustsecp256k1zkp_v0_5_0_num_is_zero(a)) != (b->neg && !rustsecp256k1zkp_v0_5_0_num_is_zero(b))) { - return 0; - } - return mpn_cmp(a->data, b->data, a->limbs) == 0; -} - -static void rustsecp256k1zkp_v0_5_0_num_subadd(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b, int bneg) { - if (!(b->neg ^ bneg ^ a->neg)) { /* a and b have the same sign */ - r->neg = a->neg; - if (a->limbs >= b->limbs) { - rustsecp256k1zkp_v0_5_0_num_add_abs(r, a, b); - } else { - rustsecp256k1zkp_v0_5_0_num_add_abs(r, b, a); - } - } else { - if (rustsecp256k1zkp_v0_5_0_num_cmp(a, b) > 0) { - r->neg = a->neg; - rustsecp256k1zkp_v0_5_0_num_sub_abs(r, a, b); - } else { - r->neg = b->neg ^ bneg; - rustsecp256k1zkp_v0_5_0_num_sub_abs(r, b, a); - } - } -} - -static void rustsecp256k1zkp_v0_5_0_num_add(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - rustsecp256k1zkp_v0_5_0_num_sanity(a); - rustsecp256k1zkp_v0_5_0_num_sanity(b); - rustsecp256k1zkp_v0_5_0_num_subadd(r, a, b, 0); -} - -static void rustsecp256k1zkp_v0_5_0_num_sub(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - rustsecp256k1zkp_v0_5_0_num_sanity(a); - rustsecp256k1zkp_v0_5_0_num_sanity(b); - rustsecp256k1zkp_v0_5_0_num_subadd(r, a, b, 1); -} - -static void rustsecp256k1zkp_v0_5_0_num_mul(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_num *a, const rustsecp256k1zkp_v0_5_0_num *b) { - mp_limb_t tmp[2*NUM_LIMBS+1]; - rustsecp256k1zkp_v0_5_0_num_sanity(a); - rustsecp256k1zkp_v0_5_0_num_sanity(b); - - VERIFY_CHECK(a->limbs + b->limbs <= 2*NUM_LIMBS+1); - if ((a->limbs==1 && a->data[0]==0) || (b->limbs==1 && b->data[0]==0)) { - r->limbs = 1; - r->neg = 0; - r->data[0] = 0; - return; - } - if (a->limbs >= b->limbs) { - mpn_mul(tmp, a->data, a->limbs, b->data, b->limbs); - } else { - mpn_mul(tmp, b->data, b->limbs, a->data, a->limbs); - } - r->limbs = a->limbs + b->limbs; - if (r->limbs > 1 && tmp[r->limbs - 1]==0) { - r->limbs--; - } - VERIFY_CHECK(r->limbs <= 2*NUM_LIMBS); - mpn_copyi(r->data, tmp, r->limbs); - r->neg = a->neg ^ b->neg; - memset(tmp, 0, sizeof(tmp)); -} - -static void rustsecp256k1zkp_v0_5_0_num_shift(rustsecp256k1zkp_v0_5_0_num *r, int bits) { - if (bits % GMP_NUMB_BITS) { - /* Shift within limbs. */ - mpn_rshift(r->data, r->data, r->limbs, bits % GMP_NUMB_BITS); - } - if (bits >= GMP_NUMB_BITS) { - int i; - /* Shift full limbs. */ - for (i = 0; i < r->limbs; i++) { - int index = i + (bits / GMP_NUMB_BITS); - if (index < r->limbs && index < 2*NUM_LIMBS) { - r->data[i] = r->data[index]; - } else { - r->data[i] = 0; - } - } - } - while (r->limbs>1 && r->data[r->limbs-1]==0) { - r->limbs--; - } -} - -static void rustsecp256k1zkp_v0_5_0_num_negate(rustsecp256k1zkp_v0_5_0_num *r) { - r->neg ^= 1; -} - -#endif /* SECP256K1_NUM_REPR_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/num_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/num_impl.h deleted file mode 100644 index 880598ef..00000000 --- a/secp256k1-zkp-sys/depend/secp256k1/src/num_impl.h +++ /dev/null @@ -1,24 +0,0 @@ -/*********************************************************************** - * Copyright (c) 2013, 2014 Pieter Wuille * - * Distributed under the MIT software license, see the accompanying * - * file COPYING or https://www.opensource.org/licenses/mit-license.php.* - ***********************************************************************/ - -#ifndef SECP256K1_NUM_IMPL_H -#define SECP256K1_NUM_IMPL_H - -#if defined HAVE_CONFIG_H -#include "libsecp256k1-config.h" -#endif - -#include "num.h" - -#if defined(USE_NUM_GMP) -#include "num_gmp_impl.h" -#elif defined(USE_NUM_NONE) -/* Nothing. */ -#else -#error "Please select num implementation" -#endif - -#endif /* SECP256K1_NUM_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar.h index c121027e..b08733b8 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar.h @@ -7,7 +7,6 @@ #ifndef SECP256K1_SCALAR_H #define SECP256K1_SCALAR_H -#include "num.h" #include "util.h" #if defined HAVE_CONFIG_H @@ -25,99 +24,88 @@ #endif /** Clear a scalar to prevent the leak of sensitive data. */ -static void rustsecp256k1zkp_v0_5_0_scalar_clear(rustsecp256k1zkp_v0_5_0_scalar *r); +static void rustsecp256k1zkp_v0_6_0_scalar_clear(rustsecp256k1zkp_v0_6_0_scalar *r); /** Access bits from a scalar. All requested bits must belong to the same 32-bit limb. */ -static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count); +static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count); /** Access bits from a scalar. Not constant time. */ -static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count); +static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count); /** Set a scalar from a big endian byte array. The scalar will be reduced modulo group order `n`. * In: bin: pointer to a 32-byte array. * Out: r: scalar to be set. * overflow: non-zero if the scalar was bigger or equal to `n` before reduction, zero otherwise (can be NULL). */ -static void rustsecp256k1zkp_v0_5_0_scalar_set_b32(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char *bin, int *overflow); +static void rustsecp256k1zkp_v0_6_0_scalar_set_b32(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char *bin, int *overflow); /** Set a scalar from a big endian byte array and returns 1 if it is a valid * seckey and 0 otherwise. */ -static int rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char *bin); +static int rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char *bin); /** Set a scalar to an unsigned integer. */ -static void rustsecp256k1zkp_v0_5_0_scalar_set_int(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int v); +static void rustsecp256k1zkp_v0_6_0_scalar_set_int(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int v); /** Set a scalar to an unsigned 64-bit integer */ -static void rustsecp256k1zkp_v0_5_0_scalar_set_u64(rustsecp256k1zkp_v0_5_0_scalar *r, uint64_t v); +static void rustsecp256k1zkp_v0_6_0_scalar_set_u64(rustsecp256k1zkp_v0_6_0_scalar *r, uint64_t v); /** Convert a scalar to a byte array. */ -static void rustsecp256k1zkp_v0_5_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_5_0_scalar* a); +static void rustsecp256k1zkp_v0_6_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_6_0_scalar* a); /** Add two scalars together (modulo the group order). Returns whether it overflowed. */ -static int rustsecp256k1zkp_v0_5_0_scalar_add(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b); +static int rustsecp256k1zkp_v0_6_0_scalar_add(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b); /** Conditionally add a power of two to a scalar. The result is not allowed to overflow. */ -static void rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int bit, int flag); +static void rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int bit, int flag); /** Multiply two scalars (modulo the group order). */ -static void rustsecp256k1zkp_v0_5_0_scalar_mul(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b); +static void rustsecp256k1zkp_v0_6_0_scalar_mul(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b); /** Shift a scalar right by some amount strictly between 0 and 16, returning * the low bits that were shifted off */ -static int rustsecp256k1zkp_v0_5_0_scalar_shr_int(rustsecp256k1zkp_v0_5_0_scalar *r, int n); - -/** Compute the square of a scalar (modulo the group order). */ -static void rustsecp256k1zkp_v0_5_0_scalar_sqr(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a); +static int rustsecp256k1zkp_v0_6_0_scalar_shr_int(rustsecp256k1zkp_v0_6_0_scalar *r, int n); /** Compute the inverse of a scalar (modulo the group order). */ -static void rustsecp256k1zkp_v0_5_0_scalar_inverse(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a); +static void rustsecp256k1zkp_v0_6_0_scalar_inverse(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a); /** Compute the inverse of a scalar (modulo the group order), without constant-time guarantee. */ -static void rustsecp256k1zkp_v0_5_0_scalar_inverse_var(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a); +static void rustsecp256k1zkp_v0_6_0_scalar_inverse_var(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a); /** Compute the complement of a scalar (modulo the group order). */ -static void rustsecp256k1zkp_v0_5_0_scalar_negate(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a); +static void rustsecp256k1zkp_v0_6_0_scalar_negate(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a); /** Check whether a scalar equals zero. */ -static int rustsecp256k1zkp_v0_5_0_scalar_is_zero(const rustsecp256k1zkp_v0_5_0_scalar *a); +static int rustsecp256k1zkp_v0_6_0_scalar_is_zero(const rustsecp256k1zkp_v0_6_0_scalar *a); /** Check whether a scalar equals one. */ -static int rustsecp256k1zkp_v0_5_0_scalar_is_one(const rustsecp256k1zkp_v0_5_0_scalar *a); +static int rustsecp256k1zkp_v0_6_0_scalar_is_one(const rustsecp256k1zkp_v0_6_0_scalar *a); /** Check whether a scalar, considered as an nonnegative integer, is even. */ -static int rustsecp256k1zkp_v0_5_0_scalar_is_even(const rustsecp256k1zkp_v0_5_0_scalar *a); +static int rustsecp256k1zkp_v0_6_0_scalar_is_even(const rustsecp256k1zkp_v0_6_0_scalar *a); /** Check whether a scalar is higher than the group order divided by 2. */ -static int rustsecp256k1zkp_v0_5_0_scalar_is_high(const rustsecp256k1zkp_v0_5_0_scalar *a); +static int rustsecp256k1zkp_v0_6_0_scalar_is_high(const rustsecp256k1zkp_v0_6_0_scalar *a); /** Conditionally negate a number, in constant time. * Returns -1 if the number was negated, 1 otherwise */ -static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_scalar *a, int flag); - -#ifndef USE_NUM_NONE -/** Convert a scalar to a number. */ -static void rustsecp256k1zkp_v0_5_0_scalar_get_num(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_scalar *a); - -/** Get the order of the group as a number. */ -static void rustsecp256k1zkp_v0_5_0_scalar_order_get_num(rustsecp256k1zkp_v0_5_0_num *r); -#endif +static int rustsecp256k1zkp_v0_6_0_scalar_cond_negate(rustsecp256k1zkp_v0_6_0_scalar *a, int flag); /** Compare two scalars. */ -static int rustsecp256k1zkp_v0_5_0_scalar_eq(const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b); +static int rustsecp256k1zkp_v0_6_0_scalar_eq(const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b); /** Find r1 and r2 such that r1+r2*2^128 = k. */ -static void rustsecp256k1zkp_v0_5_0_scalar_split_128(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k); +static void rustsecp256k1zkp_v0_6_0_scalar_split_128(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k); /** Find r1 and r2 such that r1+r2*lambda = k, - * where r1 and r2 or their negations are maximum 128 bits long (see rustsecp256k1zkp_v0_5_0_ge_mul_lambda). */ -static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k); + * where r1 and r2 or their negations are maximum 128 bits long (see rustsecp256k1zkp_v0_6_0_ge_mul_lambda). */ +static void rustsecp256k1zkp_v0_6_0_scalar_split_lambda(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k); /** Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer. Shift must be at least 256. */ -static void rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b, unsigned int shift); +static void rustsecp256k1zkp_v0_6_0_scalar_mul_shift_var(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b, unsigned int shift); /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ -static void rustsecp256k1zkp_v0_5_0_scalar_cmov(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, int flag); +static void rustsecp256k1zkp_v0_6_0_scalar_cmov(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, int flag); /** Generate two scalars from a 32-byte seed and an integer using the chacha20 stream cipher */ -static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const unsigned char *seed, uint64_t idx); +static void rustsecp256k1zkp_v0_6_0_scalar_chacha20(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const unsigned char *seed, uint64_t idx); #endif /* SECP256K1_SCALAR_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64.h index ca3160b7..9499d9c9 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64.h @@ -12,7 +12,7 @@ /** A scalar modulo the group order of the secp256k1 curve. */ typedef struct { uint64_t d[4]; -} rustsecp256k1zkp_v0_5_0_scalar; +} rustsecp256k1zkp_v0_6_0_scalar; #define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{((uint64_t)(d1)) << 32 | (d0), ((uint64_t)(d3)) << 32 | (d2), ((uint64_t)(d5)) << 32 | (d4), ((uint64_t)(d7)) << 32 | (d6)}} diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64_impl.h index 73b89e13..d536f6f2 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_4x64_impl.h @@ -10,6 +10,8 @@ #include "scalar.h" #include +#include "modinv64_impl.h" + /* Limbs of the secp256k1 order. */ #define SECP256K1_N_0 ((uint64_t)0xBFD25E8CD0364141ULL) #define SECP256K1_N_1 ((uint64_t)0xBAAEDCE6AF48A03BULL) @@ -27,44 +29,44 @@ #define SECP256K1_N_H_2 ((uint64_t)0xFFFFFFFFFFFFFFFFULL) #define SECP256K1_N_H_3 ((uint64_t)0x7FFFFFFFFFFFFFFFULL) -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_clear(rustsecp256k1zkp_v0_5_0_scalar *r) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_clear(rustsecp256k1zkp_v0_6_0_scalar *r) { r->d[0] = 0; r->d[1] = 0; r->d[2] = 0; r->d[3] = 0; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_int(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int v) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_set_int(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int v) { r->d[0] = v; r->d[1] = 0; r->d[2] = 0; r->d[3] = 0; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_u64(rustsecp256k1zkp_v0_5_0_scalar *r, uint64_t v) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_set_u64(rustsecp256k1zkp_v0_6_0_scalar *r, uint64_t v) { r->d[0] = v; r->d[1] = 0; r->d[2] = 0; r->d[3] = 0; } -SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK((offset + count - 1) >> 6 == offset >> 6); return (a->d[offset >> 6] >> (offset & 0x3F)) & ((((uint64_t)1) << count) - 1); } -SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK(count < 32); VERIFY_CHECK(offset + count <= 256); if ((offset + count - 1) >> 6 == offset >> 6) { - return rustsecp256k1zkp_v0_5_0_scalar_get_bits(a, offset, count); + return rustsecp256k1zkp_v0_6_0_scalar_get_bits(a, offset, count); } else { VERIFY_CHECK((offset >> 6) + 1 < 4); return ((a->d[offset >> 6] >> (offset & 0x3F)) | (a->d[(offset >> 6) + 1] << (64 - (offset & 0x3F)))) & ((((uint64_t)1) << count) - 1); } } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_check_overflow(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_check_overflow(const rustsecp256k1zkp_v0_6_0_scalar *a) { int yes = 0; int no = 0; no |= (a->d[3] < SECP256K1_N_3); /* No need for a > check. */ @@ -76,7 +78,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_check_overflow(const return yes; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_reduce(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int overflow) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_reduce(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int overflow) { uint128_t t; VERIFY_CHECK(overflow <= 1); t = (uint128_t)r->d[0] + overflow * SECP256K1_N_C_0; @@ -90,7 +92,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_reduce(rustsecp256k1z return overflow; } -static int rustsecp256k1zkp_v0_5_0_scalar_add(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static int rustsecp256k1zkp_v0_6_0_scalar_add(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { int overflow; uint128_t t = (uint128_t)a->d[0] + b->d[0]; r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; @@ -100,13 +102,13 @@ static int rustsecp256k1zkp_v0_5_0_scalar_add(rustsecp256k1zkp_v0_5_0_scalar *r, r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; t += (uint128_t)a->d[3] + b->d[3]; r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; - overflow = t + rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r); + overflow = t + rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r); VERIFY_CHECK(overflow == 0 || overflow == 1); - rustsecp256k1zkp_v0_5_0_scalar_reduce(r, overflow); + rustsecp256k1zkp_v0_6_0_scalar_reduce(r, overflow); return overflow; } -static void rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int bit, int flag) { +static void rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int bit, int flag) { uint128_t t; VERIFY_CHECK(bit < 256); bit += ((uint32_t) flag - 1) & 0x100; /* forcing (bit >> 6) > 3 makes this a noop */ @@ -120,35 +122,35 @@ static void rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(rustsecp256k1zkp_v0_5_0_scal r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL; #ifdef VERIFY VERIFY_CHECK((t >> 64) == 0); - VERIFY_CHECK(rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r) == 0); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r) == 0); #endif } -static void rustsecp256k1zkp_v0_5_0_scalar_set_b32(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char *b32, int *overflow) { +static void rustsecp256k1zkp_v0_6_0_scalar_set_b32(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char *b32, int *overflow) { int over; r->d[0] = (uint64_t)b32[31] | (uint64_t)b32[30] << 8 | (uint64_t)b32[29] << 16 | (uint64_t)b32[28] << 24 | (uint64_t)b32[27] << 32 | (uint64_t)b32[26] << 40 | (uint64_t)b32[25] << 48 | (uint64_t)b32[24] << 56; r->d[1] = (uint64_t)b32[23] | (uint64_t)b32[22] << 8 | (uint64_t)b32[21] << 16 | (uint64_t)b32[20] << 24 | (uint64_t)b32[19] << 32 | (uint64_t)b32[18] << 40 | (uint64_t)b32[17] << 48 | (uint64_t)b32[16] << 56; r->d[2] = (uint64_t)b32[15] | (uint64_t)b32[14] << 8 | (uint64_t)b32[13] << 16 | (uint64_t)b32[12] << 24 | (uint64_t)b32[11] << 32 | (uint64_t)b32[10] << 40 | (uint64_t)b32[9] << 48 | (uint64_t)b32[8] << 56; r->d[3] = (uint64_t)b32[7] | (uint64_t)b32[6] << 8 | (uint64_t)b32[5] << 16 | (uint64_t)b32[4] << 24 | (uint64_t)b32[3] << 32 | (uint64_t)b32[2] << 40 | (uint64_t)b32[1] << 48 | (uint64_t)b32[0] << 56; - over = rustsecp256k1zkp_v0_5_0_scalar_reduce(r, rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r)); + over = rustsecp256k1zkp_v0_6_0_scalar_reduce(r, rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r)); if (overflow) { *overflow = over; } } -static void rustsecp256k1zkp_v0_5_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_5_0_scalar* a) { +static void rustsecp256k1zkp_v0_6_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_6_0_scalar* a) { bin[0] = a->d[3] >> 56; bin[1] = a->d[3] >> 48; bin[2] = a->d[3] >> 40; bin[3] = a->d[3] >> 32; bin[4] = a->d[3] >> 24; bin[5] = a->d[3] >> 16; bin[6] = a->d[3] >> 8; bin[7] = a->d[3]; bin[8] = a->d[2] >> 56; bin[9] = a->d[2] >> 48; bin[10] = a->d[2] >> 40; bin[11] = a->d[2] >> 32; bin[12] = a->d[2] >> 24; bin[13] = a->d[2] >> 16; bin[14] = a->d[2] >> 8; bin[15] = a->d[2]; bin[16] = a->d[1] >> 56; bin[17] = a->d[1] >> 48; bin[18] = a->d[1] >> 40; bin[19] = a->d[1] >> 32; bin[20] = a->d[1] >> 24; bin[21] = a->d[1] >> 16; bin[22] = a->d[1] >> 8; bin[23] = a->d[1]; bin[24] = a->d[0] >> 56; bin[25] = a->d[0] >> 48; bin[26] = a->d[0] >> 40; bin[27] = a->d[0] >> 32; bin[28] = a->d[0] >> 24; bin[29] = a->d[0] >> 16; bin[30] = a->d[0] >> 8; bin[31] = a->d[0]; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_zero(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_zero(const rustsecp256k1zkp_v0_6_0_scalar *a) { return (a->d[0] | a->d[1] | a->d[2] | a->d[3]) == 0; } -static void rustsecp256k1zkp_v0_5_0_scalar_negate(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a) { - uint64_t nonzero = 0xFFFFFFFFFFFFFFFFULL * (rustsecp256k1zkp_v0_5_0_scalar_is_zero(a) == 0); +static void rustsecp256k1zkp_v0_6_0_scalar_negate(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a) { + uint64_t nonzero = 0xFFFFFFFFFFFFFFFFULL * (rustsecp256k1zkp_v0_6_0_scalar_is_zero(a) == 0); uint128_t t = (uint128_t)(~a->d[0]) + SECP256K1_N_0 + 1; r->d[0] = t & nonzero; t >>= 64; t += (uint128_t)(~a->d[1]) + SECP256K1_N_1; @@ -159,11 +161,11 @@ static void rustsecp256k1zkp_v0_5_0_scalar_negate(rustsecp256k1zkp_v0_5_0_scalar r->d[3] = t & nonzero; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_one(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_one(const rustsecp256k1zkp_v0_6_0_scalar *a) { return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3]) == 0; } -static int rustsecp256k1zkp_v0_5_0_scalar_is_high(const rustsecp256k1zkp_v0_5_0_scalar *a) { +static int rustsecp256k1zkp_v0_6_0_scalar_is_high(const rustsecp256k1zkp_v0_6_0_scalar *a) { int yes = 0; int no = 0; no |= (a->d[3] < SECP256K1_N_H_3); @@ -175,11 +177,11 @@ static int rustsecp256k1zkp_v0_5_0_scalar_is_high(const rustsecp256k1zkp_v0_5_0_ return yes; } -static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_scalar *r, int flag) { +static int rustsecp256k1zkp_v0_6_0_scalar_cond_negate(rustsecp256k1zkp_v0_6_0_scalar *r, int flag) { /* If we are flag = 0, mask = 00...00 and this is a no-op; - * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1zkp_v0_5_0_scalar_negate */ + * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1zkp_v0_6_0_scalar_negate */ uint64_t mask = !flag - 1; - uint64_t nonzero = (rustsecp256k1zkp_v0_5_0_scalar_is_zero(r) != 0) - 1; + uint64_t nonzero = (rustsecp256k1zkp_v0_6_0_scalar_is_zero(r) != 0) - 1; uint128_t t = (uint128_t)(r->d[0] ^ mask) + ((SECP256K1_N_0 + 1) & mask); r->d[0] = t & nonzero; t >>= 64; t += (uint128_t)(r->d[1] ^ mask) + (SECP256K1_N_1 & mask); @@ -222,28 +224,6 @@ static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_sc VERIFY_CHECK(c1 >= th); \ } -/** Add 2*a*b to the number defined by (c0,c1,c2). c2 must never overflow. */ -#define muladd2(a,b) { \ - uint64_t tl, th, th2, tl2; \ - { \ - uint128_t t = (uint128_t)a * b; \ - th = t >> 64; /* at most 0xFFFFFFFFFFFFFFFE */ \ - tl = t; \ - } \ - th2 = th + th; /* at most 0xFFFFFFFFFFFFFFFE (in case th was 0x7FFFFFFFFFFFFFFF) */ \ - c2 += (th2 < th); /* never overflows by contract (verified the next line) */ \ - VERIFY_CHECK((th2 >= th) || (c2 != 0)); \ - tl2 = tl + tl; /* at most 0xFFFFFFFFFFFFFFFE (in case the lowest 63 bits of tl were 0x7FFFFFFFFFFFFFFF) */ \ - th2 += (tl2 < tl); /* at most 0xFFFFFFFFFFFFFFFF */ \ - c0 += tl2; /* overflow is handled on the next line */ \ - th2 += (c0 < tl2); /* second overflow is handled on the next line */ \ - c2 += (c0 < tl2) & (th2 == 0); /* never overflows by contract (verified the next line) */ \ - VERIFY_CHECK((c0 >= tl2) || (th2 != 0) || (c2 != 0)); \ - c1 += th2; /* overflow is handled on the next line */ \ - c2 += (c1 < th2); /* never overflows by contract (verified the next line) */ \ - VERIFY_CHECK((c1 >= th2) || (c2 != 0)); \ -} - /** Add a to the number defined by (c0,c1,c2). c2 must never overflow. */ #define sumadd(a) { \ unsigned int over; \ @@ -277,7 +257,7 @@ static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_sc VERIFY_CHECK(c2 == 0); \ } -static void rustsecp256k1zkp_v0_5_0_scalar_reduce_512(rustsecp256k1zkp_v0_5_0_scalar *r, const uint64_t *l) { +static void rustsecp256k1zkp_v0_6_0_scalar_reduce_512(rustsecp256k1zkp_v0_6_0_scalar *r, const uint64_t *l) { #ifdef USE_ASM_X86_64 /* Reduce 512 bits into 385. */ uint64_t m0, m1, m2, m3, m4, m5, m6; @@ -583,10 +563,10 @@ static void rustsecp256k1zkp_v0_5_0_scalar_reduce_512(rustsecp256k1zkp_v0_5_0_sc #endif /* Final reduction of r. */ - rustsecp256k1zkp_v0_5_0_scalar_reduce(r, c + rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r)); + rustsecp256k1zkp_v0_6_0_scalar_reduce(r, c + rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r)); } -static void rustsecp256k1zkp_v0_5_0_scalar_mul_512(uint64_t l[8], const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static void rustsecp256k1zkp_v0_6_0_scalar_mul_512(uint64_t l[8], const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { #ifdef USE_ASM_X86_64 const uint64_t *pb = b->d; __asm__ __volatile__( @@ -753,158 +733,20 @@ static void rustsecp256k1zkp_v0_5_0_scalar_mul_512(uint64_t l[8], const rustsecp #endif } -static void rustsecp256k1zkp_v0_5_0_scalar_sqr_512(uint64_t l[8], const rustsecp256k1zkp_v0_5_0_scalar *a) { -#ifdef USE_ASM_X86_64 - __asm__ __volatile__( - /* Preload */ - "movq 0(%%rdi), %%r11\n" - "movq 8(%%rdi), %%r12\n" - "movq 16(%%rdi), %%r13\n" - "movq 24(%%rdi), %%r14\n" - /* (rax,rdx) = a0 * a0 */ - "movq %%r11, %%rax\n" - "mulq %%r11\n" - /* Extract l0 */ - "movq %%rax, 0(%%rsi)\n" - /* (r8,r9,r10) = (rdx,0) */ - "movq %%rdx, %%r8\n" - "xorq %%r9, %%r9\n" - "xorq %%r10, %%r10\n" - /* (r8,r9,r10) += 2 * a0 * a1 */ - "movq %%r11, %%rax\n" - "mulq %%r12\n" - "addq %%rax, %%r8\n" - "adcq %%rdx, %%r9\n" - "adcq $0, %%r10\n" - "addq %%rax, %%r8\n" - "adcq %%rdx, %%r9\n" - "adcq $0, %%r10\n" - /* Extract l1 */ - "movq %%r8, 8(%%rsi)\n" - "xorq %%r8, %%r8\n" - /* (r9,r10,r8) += 2 * a0 * a2 */ - "movq %%r11, %%rax\n" - "mulq %%r13\n" - "addq %%rax, %%r9\n" - "adcq %%rdx, %%r10\n" - "adcq $0, %%r8\n" - "addq %%rax, %%r9\n" - "adcq %%rdx, %%r10\n" - "adcq $0, %%r8\n" - /* (r9,r10,r8) += a1 * a1 */ - "movq %%r12, %%rax\n" - "mulq %%r12\n" - "addq %%rax, %%r9\n" - "adcq %%rdx, %%r10\n" - "adcq $0, %%r8\n" - /* Extract l2 */ - "movq %%r9, 16(%%rsi)\n" - "xorq %%r9, %%r9\n" - /* (r10,r8,r9) += 2 * a0 * a3 */ - "movq %%r11, %%rax\n" - "mulq %%r14\n" - "addq %%rax, %%r10\n" - "adcq %%rdx, %%r8\n" - "adcq $0, %%r9\n" - "addq %%rax, %%r10\n" - "adcq %%rdx, %%r8\n" - "adcq $0, %%r9\n" - /* (r10,r8,r9) += 2 * a1 * a2 */ - "movq %%r12, %%rax\n" - "mulq %%r13\n" - "addq %%rax, %%r10\n" - "adcq %%rdx, %%r8\n" - "adcq $0, %%r9\n" - "addq %%rax, %%r10\n" - "adcq %%rdx, %%r8\n" - "adcq $0, %%r9\n" - /* Extract l3 */ - "movq %%r10, 24(%%rsi)\n" - "xorq %%r10, %%r10\n" - /* (r8,r9,r10) += 2 * a1 * a3 */ - "movq %%r12, %%rax\n" - "mulq %%r14\n" - "addq %%rax, %%r8\n" - "adcq %%rdx, %%r9\n" - "adcq $0, %%r10\n" - "addq %%rax, %%r8\n" - "adcq %%rdx, %%r9\n" - "adcq $0, %%r10\n" - /* (r8,r9,r10) += a2 * a2 */ - "movq %%r13, %%rax\n" - "mulq %%r13\n" - "addq %%rax, %%r8\n" - "adcq %%rdx, %%r9\n" - "adcq $0, %%r10\n" - /* Extract l4 */ - "movq %%r8, 32(%%rsi)\n" - "xorq %%r8, %%r8\n" - /* (r9,r10,r8) += 2 * a2 * a3 */ - "movq %%r13, %%rax\n" - "mulq %%r14\n" - "addq %%rax, %%r9\n" - "adcq %%rdx, %%r10\n" - "adcq $0, %%r8\n" - "addq %%rax, %%r9\n" - "adcq %%rdx, %%r10\n" - "adcq $0, %%r8\n" - /* Extract l5 */ - "movq %%r9, 40(%%rsi)\n" - /* (r10,r8) += a3 * a3 */ - "movq %%r14, %%rax\n" - "mulq %%r14\n" - "addq %%rax, %%r10\n" - "adcq %%rdx, %%r8\n" - /* Extract l6 */ - "movq %%r10, 48(%%rsi)\n" - /* Extract l7 */ - "movq %%r8, 56(%%rsi)\n" - : - : "S"(l), "D"(a->d) - : "rax", "rdx", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "cc", "memory"); -#else - /* 160 bit accumulator. */ - uint64_t c0 = 0, c1 = 0; - uint32_t c2 = 0; - - /* l[0..7] = a[0..3] * b[0..3]. */ - muladd_fast(a->d[0], a->d[0]); - extract_fast(l[0]); - muladd2(a->d[0], a->d[1]); - extract(l[1]); - muladd2(a->d[0], a->d[2]); - muladd(a->d[1], a->d[1]); - extract(l[2]); - muladd2(a->d[0], a->d[3]); - muladd2(a->d[1], a->d[2]); - extract(l[3]); - muladd2(a->d[1], a->d[3]); - muladd(a->d[2], a->d[2]); - extract(l[4]); - muladd2(a->d[2], a->d[3]); - extract(l[5]); - muladd_fast(a->d[3], a->d[3]); - extract_fast(l[6]); - VERIFY_CHECK(c1 == 0); - l[7] = c0; -#endif -} - #undef sumadd #undef sumadd_fast #undef muladd #undef muladd_fast -#undef muladd2 #undef extract #undef extract_fast -static void rustsecp256k1zkp_v0_5_0_scalar_mul(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static void rustsecp256k1zkp_v0_6_0_scalar_mul(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { uint64_t l[8]; - rustsecp256k1zkp_v0_5_0_scalar_mul_512(l, a, b); - rustsecp256k1zkp_v0_5_0_scalar_reduce_512(r, l); + rustsecp256k1zkp_v0_6_0_scalar_mul_512(l, a, b); + rustsecp256k1zkp_v0_6_0_scalar_reduce_512(r, l); } -static int rustsecp256k1zkp_v0_5_0_scalar_shr_int(rustsecp256k1zkp_v0_5_0_scalar *r, int n) { +static int rustsecp256k1zkp_v0_6_0_scalar_shr_int(rustsecp256k1zkp_v0_6_0_scalar *r, int n) { int ret; VERIFY_CHECK(n > 0); VERIFY_CHECK(n < 16); @@ -916,13 +758,7 @@ static int rustsecp256k1zkp_v0_5_0_scalar_shr_int(rustsecp256k1zkp_v0_5_0_scalar return ret; } -static void rustsecp256k1zkp_v0_5_0_scalar_sqr(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a) { - uint64_t l[8]; - rustsecp256k1zkp_v0_5_0_scalar_sqr_512(l, a); - rustsecp256k1zkp_v0_5_0_scalar_reduce_512(r, l); -} - -static void rustsecp256k1zkp_v0_5_0_scalar_split_128(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k) { +static void rustsecp256k1zkp_v0_6_0_scalar_split_128(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k) { r1->d[0] = k->d[0]; r1->d[1] = k->d[1]; r1->d[2] = 0; @@ -933,17 +769,17 @@ static void rustsecp256k1zkp_v0_5_0_scalar_split_128(rustsecp256k1zkp_v0_5_0_sca r2->d[3] = 0; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_eq(const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_eq(const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3])) == 0; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b, unsigned int shift) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_mul_shift_var(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b, unsigned int shift) { uint64_t l[8]; unsigned int shiftlimbs; unsigned int shiftlow; unsigned int shifthigh; VERIFY_CHECK(shift >= 256); - rustsecp256k1zkp_v0_5_0_scalar_mul_512(l, a, b); + rustsecp256k1zkp_v0_6_0_scalar_mul_512(l, a, b); shiftlimbs = shift >> 6; shiftlow = shift & 0x3F; shifthigh = 64 - shiftlow; @@ -951,10 +787,10 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(rustse r->d[1] = shift < 448 ? (l[1 + shiftlimbs] >> shiftlow | (shift < 384 && shiftlow ? (l[2 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[2] = shift < 384 ? (l[2 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[3 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[3] = shift < 320 ? (l[3 + shiftlimbs] >> shiftlow) : 0; - rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 6] >> ((shift - 1) & 0x3f)) & 1); + rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 6] >> ((shift - 1) & 0x3f)) & 1); } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_scalar_cmov(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_scalar_cmov(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, int flag) { uint64_t mask0, mask1; VG_CHECK_VERIFY(r->d, sizeof(r->d)); mask0 = flag + ~((uint64_t)0); @@ -978,7 +814,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_scalar_cmov(rustsecp256k1zk #define LE32(p) (p) #endif -static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const unsigned char *seed, uint64_t idx) { +static void rustsecp256k1zkp_v0_6_0_scalar_chacha20(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const unsigned char *seed, uint64_t idx) { size_t n; size_t over_count = 0; uint32_t seed32[8]; @@ -1042,8 +878,8 @@ static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scal r2->d[1] = (((uint64_t) x12) << 32) | x13; r2->d[0] = (((uint64_t) x14) << 32) | x15; - over1 = rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r1); - over2 = rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r2); + over1 = rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r1); + over2 = rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r2); over_count++; } while (over1 | over2); } @@ -1052,4 +888,78 @@ static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scal #undef QUARTERROUND #undef LE32 +static void rustsecp256k1zkp_v0_6_0_scalar_from_signed62(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_modinv64_signed62 *a) { + const uint64_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4]; + + /* The output from rustsecp256k1zkp_v0_6_0_modinv64{_var} should be normalized to range [0,modulus), and + * have limbs in [0,2^62). The modulus is < 2^256, so the top limb must be below 2^(256-62*4). + */ + VERIFY_CHECK(a0 >> 62 == 0); + VERIFY_CHECK(a1 >> 62 == 0); + VERIFY_CHECK(a2 >> 62 == 0); + VERIFY_CHECK(a3 >> 62 == 0); + VERIFY_CHECK(a4 >> 8 == 0); + + r->d[0] = a0 | a1 << 62; + r->d[1] = a1 >> 2 | a2 << 60; + r->d[2] = a2 >> 4 | a3 << 58; + r->d[3] = a3 >> 6 | a4 << 56; + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r) == 0); +#endif +} + +static void rustsecp256k1zkp_v0_6_0_scalar_to_signed62(rustsecp256k1zkp_v0_6_0_modinv64_signed62 *r, const rustsecp256k1zkp_v0_6_0_scalar *a) { + const uint64_t M62 = UINT64_MAX >> 2; + const uint64_t a0 = a->d[0], a1 = a->d[1], a2 = a->d[2], a3 = a->d[3]; + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(a) == 0); +#endif + + r->v[0] = a0 & M62; + r->v[1] = (a0 >> 62 | a1 << 2) & M62; + r->v[2] = (a1 >> 60 | a2 << 4) & M62; + r->v[3] = (a2 >> 58 | a3 << 6) & M62; + r->v[4] = a3 >> 56; +} + +static const rustsecp256k1zkp_v0_6_0_modinv64_modinfo rustsecp256k1zkp_v0_6_0_const_modinfo_scalar = { + {{0x3FD25E8CD0364141LL, 0x2ABB739ABD2280EELL, -0x15LL, 0, 256}}, + 0x34F20099AA774EC1LL +}; + +static void rustsecp256k1zkp_v0_6_0_scalar_inverse(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *x) { + rustsecp256k1zkp_v0_6_0_modinv64_signed62 s; +#ifdef VERIFY + int zero_in = rustsecp256k1zkp_v0_6_0_scalar_is_zero(x); +#endif + rustsecp256k1zkp_v0_6_0_scalar_to_signed62(&s, x); + rustsecp256k1zkp_v0_6_0_modinv64(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_scalar); + rustsecp256k1zkp_v0_6_0_scalar_from_signed62(r, &s); + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(r) == zero_in); +#endif +} + +static void rustsecp256k1zkp_v0_6_0_scalar_inverse_var(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *x) { + rustsecp256k1zkp_v0_6_0_modinv64_signed62 s; +#ifdef VERIFY + int zero_in = rustsecp256k1zkp_v0_6_0_scalar_is_zero(x); +#endif + rustsecp256k1zkp_v0_6_0_scalar_to_signed62(&s, x); + rustsecp256k1zkp_v0_6_0_modinv64_var(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_scalar); + rustsecp256k1zkp_v0_6_0_scalar_from_signed62(r, &s); + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(r) == zero_in); +#endif +} + +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_even(const rustsecp256k1zkp_v0_6_0_scalar *a) { + return !(a->d[0] & 1); +} + #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32.h index 27f93ca4..d596b16b 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32.h @@ -12,7 +12,7 @@ /** A scalar modulo the group order of the secp256k1 curve. */ typedef struct { uint32_t d[8]; -} rustsecp256k1zkp_v0_5_0_scalar; +} rustsecp256k1zkp_v0_6_0_scalar; #define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{(d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7)}} diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32_impl.h index 2a96a2d1..0ab71ae1 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_8x32_impl.h @@ -9,6 +9,8 @@ #include +#include "modinv32_impl.h" + /* Limbs of the secp256k1 order. */ #define SECP256K1_N_0 ((uint32_t)0xD0364141UL) #define SECP256K1_N_1 ((uint32_t)0xBFD25E8CUL) @@ -36,7 +38,7 @@ #define SECP256K1_N_H_6 ((uint32_t)0xFFFFFFFFUL) #define SECP256K1_N_H_7 ((uint32_t)0x7FFFFFFFUL) -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_clear(rustsecp256k1zkp_v0_5_0_scalar *r) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_clear(rustsecp256k1zkp_v0_6_0_scalar *r) { r->d[0] = 0; r->d[1] = 0; r->d[2] = 0; @@ -47,7 +49,7 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_clear(rustsecp256k1z r->d[7] = 0; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_int(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int v) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_set_int(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int v) { r->d[0] = v; r->d[1] = 0; r->d[2] = 0; @@ -58,7 +60,7 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_int(rustsecp256k r->d[7] = 0; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_u64(rustsecp256k1zkp_v0_5_0_scalar *r, uint64_t v) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_set_u64(rustsecp256k1zkp_v0_6_0_scalar *r, uint64_t v) { r->d[0] = v; r->d[1] = v >> 32; r->d[2] = 0; @@ -69,23 +71,23 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_u64(rustsecp256k r->d[7] = 0; } -SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK((offset + count - 1) >> 5 == offset >> 5); return (a->d[offset >> 5] >> (offset & 0x1F)) & ((1 << count) - 1); } -SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK(count < 32); VERIFY_CHECK(offset + count <= 256); if ((offset + count - 1) >> 5 == offset >> 5) { - return rustsecp256k1zkp_v0_5_0_scalar_get_bits(a, offset, count); + return rustsecp256k1zkp_v0_6_0_scalar_get_bits(a, offset, count); } else { VERIFY_CHECK((offset >> 5) + 1 < 8); return ((a->d[offset >> 5] >> (offset & 0x1F)) | (a->d[(offset >> 5) + 1] << (32 - (offset & 0x1F)))) & ((((uint32_t)1) << count) - 1); } } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_check_overflow(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_check_overflow(const rustsecp256k1zkp_v0_6_0_scalar *a) { int yes = 0; int no = 0; no |= (a->d[7] < SECP256K1_N_7); /* No need for a > check. */ @@ -103,7 +105,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_check_overflow(const return yes; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_reduce(rustsecp256k1zkp_v0_5_0_scalar *r, uint32_t overflow) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_reduce(rustsecp256k1zkp_v0_6_0_scalar *r, uint32_t overflow) { uint64_t t; VERIFY_CHECK(overflow <= 1); t = (uint64_t)r->d[0] + overflow * SECP256K1_N_C_0; @@ -125,7 +127,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_reduce(rustsecp256k1z return overflow; } -static int rustsecp256k1zkp_v0_5_0_scalar_add(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static int rustsecp256k1zkp_v0_6_0_scalar_add(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { int overflow; uint64_t t = (uint64_t)a->d[0] + b->d[0]; r->d[0] = t & 0xFFFFFFFFULL; t >>= 32; @@ -143,13 +145,13 @@ static int rustsecp256k1zkp_v0_5_0_scalar_add(rustsecp256k1zkp_v0_5_0_scalar *r, r->d[6] = t & 0xFFFFFFFFULL; t >>= 32; t += (uint64_t)a->d[7] + b->d[7]; r->d[7] = t & 0xFFFFFFFFULL; t >>= 32; - overflow = t + rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r); + overflow = t + rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r); VERIFY_CHECK(overflow == 0 || overflow == 1); - rustsecp256k1zkp_v0_5_0_scalar_reduce(r, overflow); + rustsecp256k1zkp_v0_6_0_scalar_reduce(r, overflow); return overflow; } -static void rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int bit, int flag) { +static void rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int bit, int flag) { uint64_t t; VERIFY_CHECK(bit < 256); bit += ((uint32_t) flag - 1) & 0x100; /* forcing (bit >> 5) > 7 makes this a noop */ @@ -171,11 +173,11 @@ static void rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(rustsecp256k1zkp_v0_5_0_scal r->d[7] = t & 0xFFFFFFFFULL; #ifdef VERIFY VERIFY_CHECK((t >> 32) == 0); - VERIFY_CHECK(rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r) == 0); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r) == 0); #endif } -static void rustsecp256k1zkp_v0_5_0_scalar_set_b32(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char *b32, int *overflow) { +static void rustsecp256k1zkp_v0_6_0_scalar_set_b32(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char *b32, int *overflow) { int over; r->d[0] = (uint32_t)b32[31] | (uint32_t)b32[30] << 8 | (uint32_t)b32[29] << 16 | (uint32_t)b32[28] << 24; r->d[1] = (uint32_t)b32[27] | (uint32_t)b32[26] << 8 | (uint32_t)b32[25] << 16 | (uint32_t)b32[24] << 24; @@ -185,13 +187,13 @@ static void rustsecp256k1zkp_v0_5_0_scalar_set_b32(rustsecp256k1zkp_v0_5_0_scala r->d[5] = (uint32_t)b32[11] | (uint32_t)b32[10] << 8 | (uint32_t)b32[9] << 16 | (uint32_t)b32[8] << 24; r->d[6] = (uint32_t)b32[7] | (uint32_t)b32[6] << 8 | (uint32_t)b32[5] << 16 | (uint32_t)b32[4] << 24; r->d[7] = (uint32_t)b32[3] | (uint32_t)b32[2] << 8 | (uint32_t)b32[1] << 16 | (uint32_t)b32[0] << 24; - over = rustsecp256k1zkp_v0_5_0_scalar_reduce(r, rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r)); + over = rustsecp256k1zkp_v0_6_0_scalar_reduce(r, rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r)); if (overflow) { *overflow = over; } } -static void rustsecp256k1zkp_v0_5_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_5_0_scalar* a) { +static void rustsecp256k1zkp_v0_6_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_6_0_scalar* a) { bin[0] = a->d[7] >> 24; bin[1] = a->d[7] >> 16; bin[2] = a->d[7] >> 8; bin[3] = a->d[7]; bin[4] = a->d[6] >> 24; bin[5] = a->d[6] >> 16; bin[6] = a->d[6] >> 8; bin[7] = a->d[6]; bin[8] = a->d[5] >> 24; bin[9] = a->d[5] >> 16; bin[10] = a->d[5] >> 8; bin[11] = a->d[5]; @@ -202,12 +204,12 @@ static void rustsecp256k1zkp_v0_5_0_scalar_get_b32(unsigned char *bin, const rus bin[28] = a->d[0] >> 24; bin[29] = a->d[0] >> 16; bin[30] = a->d[0] >> 8; bin[31] = a->d[0]; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_zero(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_zero(const rustsecp256k1zkp_v0_6_0_scalar *a) { return (a->d[0] | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; } -static void rustsecp256k1zkp_v0_5_0_scalar_negate(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a) { - uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1zkp_v0_5_0_scalar_is_zero(a) == 0); +static void rustsecp256k1zkp_v0_6_0_scalar_negate(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a) { + uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1zkp_v0_6_0_scalar_is_zero(a) == 0); uint64_t t = (uint64_t)(~a->d[0]) + SECP256K1_N_0 + 1; r->d[0] = t & nonzero; t >>= 32; t += (uint64_t)(~a->d[1]) + SECP256K1_N_1; @@ -226,11 +228,11 @@ static void rustsecp256k1zkp_v0_5_0_scalar_negate(rustsecp256k1zkp_v0_5_0_scalar r->d[7] = t & nonzero; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_one(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_one(const rustsecp256k1zkp_v0_6_0_scalar *a) { return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; } -static int rustsecp256k1zkp_v0_5_0_scalar_is_high(const rustsecp256k1zkp_v0_5_0_scalar *a) { +static int rustsecp256k1zkp_v0_6_0_scalar_is_high(const rustsecp256k1zkp_v0_6_0_scalar *a) { int yes = 0; int no = 0; no |= (a->d[7] < SECP256K1_N_H_7); @@ -248,11 +250,11 @@ static int rustsecp256k1zkp_v0_5_0_scalar_is_high(const rustsecp256k1zkp_v0_5_0_ return yes; } -static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_scalar *r, int flag) { +static int rustsecp256k1zkp_v0_6_0_scalar_cond_negate(rustsecp256k1zkp_v0_6_0_scalar *r, int flag) { /* If we are flag = 0, mask = 00...00 and this is a no-op; - * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1zkp_v0_5_0_scalar_negate */ + * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1zkp_v0_6_0_scalar_negate */ uint32_t mask = !flag - 1; - uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1zkp_v0_5_0_scalar_is_zero(r) == 0); + uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1zkp_v0_6_0_scalar_is_zero(r) == 0); uint64_t t = (uint64_t)(r->d[0] ^ mask) + ((SECP256K1_N_0 + 1) & mask); r->d[0] = t & nonzero; t >>= 32; t += (uint64_t)(r->d[1] ^ mask) + (SECP256K1_N_1 & mask); @@ -304,28 +306,6 @@ static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_sc VERIFY_CHECK(c1 >= th); \ } -/** Add 2*a*b to the number defined by (c0,c1,c2). c2 must never overflow. */ -#define muladd2(a,b) { \ - uint32_t tl, th, th2, tl2; \ - { \ - uint64_t t = (uint64_t)a * b; \ - th = t >> 32; /* at most 0xFFFFFFFE */ \ - tl = t; \ - } \ - th2 = th + th; /* at most 0xFFFFFFFE (in case th was 0x7FFFFFFF) */ \ - c2 += (th2 < th); /* never overflows by contract (verified the next line) */ \ - VERIFY_CHECK((th2 >= th) || (c2 != 0)); \ - tl2 = tl + tl; /* at most 0xFFFFFFFE (in case the lowest 63 bits of tl were 0x7FFFFFFF) */ \ - th2 += (tl2 < tl); /* at most 0xFFFFFFFF */ \ - c0 += tl2; /* overflow is handled on the next line */ \ - th2 += (c0 < tl2); /* second overflow is handled on the next line */ \ - c2 += (c0 < tl2) & (th2 == 0); /* never overflows by contract (verified the next line) */ \ - VERIFY_CHECK((c0 >= tl2) || (th2 != 0) || (c2 != 0)); \ - c1 += th2; /* overflow is handled on the next line */ \ - c2 += (c1 < th2); /* never overflows by contract (verified the next line) */ \ - VERIFY_CHECK((c1 >= th2) || (c2 != 0)); \ -} - /** Add a to the number defined by (c0,c1,c2). c2 must never overflow. */ #define sumadd(a) { \ unsigned int over; \ @@ -359,7 +339,7 @@ static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_sc VERIFY_CHECK(c2 == 0); \ } -static void rustsecp256k1zkp_v0_5_0_scalar_reduce_512(rustsecp256k1zkp_v0_5_0_scalar *r, const uint32_t *l) { +static void rustsecp256k1zkp_v0_6_0_scalar_reduce_512(rustsecp256k1zkp_v0_6_0_scalar *r, const uint32_t *l) { uint64_t c; uint32_t n0 = l[8], n1 = l[9], n2 = l[10], n3 = l[11], n4 = l[12], n5 = l[13], n6 = l[14], n7 = l[15]; uint32_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9, m10, m11, m12; @@ -498,10 +478,10 @@ static void rustsecp256k1zkp_v0_5_0_scalar_reduce_512(rustsecp256k1zkp_v0_5_0_sc r->d[7] = c & 0xFFFFFFFFUL; c >>= 32; /* Final reduction of r. */ - rustsecp256k1zkp_v0_5_0_scalar_reduce(r, c + rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r)); + rustsecp256k1zkp_v0_6_0_scalar_reduce(r, c + rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r)); } -static void rustsecp256k1zkp_v0_5_0_scalar_mul_512(uint32_t *l, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static void rustsecp256k1zkp_v0_6_0_scalar_mul_512(uint32_t *l, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { /* 96 bit accumulator. */ uint32_t c0 = 0, c1 = 0, c2 = 0; @@ -589,81 +569,20 @@ static void rustsecp256k1zkp_v0_5_0_scalar_mul_512(uint32_t *l, const rustsecp25 l[15] = c0; } -static void rustsecp256k1zkp_v0_5_0_scalar_sqr_512(uint32_t *l, const rustsecp256k1zkp_v0_5_0_scalar *a) { - /* 96 bit accumulator. */ - uint32_t c0 = 0, c1 = 0, c2 = 0; - - /* l[0..15] = a[0..7]^2. */ - muladd_fast(a->d[0], a->d[0]); - extract_fast(l[0]); - muladd2(a->d[0], a->d[1]); - extract(l[1]); - muladd2(a->d[0], a->d[2]); - muladd(a->d[1], a->d[1]); - extract(l[2]); - muladd2(a->d[0], a->d[3]); - muladd2(a->d[1], a->d[2]); - extract(l[3]); - muladd2(a->d[0], a->d[4]); - muladd2(a->d[1], a->d[3]); - muladd(a->d[2], a->d[2]); - extract(l[4]); - muladd2(a->d[0], a->d[5]); - muladd2(a->d[1], a->d[4]); - muladd2(a->d[2], a->d[3]); - extract(l[5]); - muladd2(a->d[0], a->d[6]); - muladd2(a->d[1], a->d[5]); - muladd2(a->d[2], a->d[4]); - muladd(a->d[3], a->d[3]); - extract(l[6]); - muladd2(a->d[0], a->d[7]); - muladd2(a->d[1], a->d[6]); - muladd2(a->d[2], a->d[5]); - muladd2(a->d[3], a->d[4]); - extract(l[7]); - muladd2(a->d[1], a->d[7]); - muladd2(a->d[2], a->d[6]); - muladd2(a->d[3], a->d[5]); - muladd(a->d[4], a->d[4]); - extract(l[8]); - muladd2(a->d[2], a->d[7]); - muladd2(a->d[3], a->d[6]); - muladd2(a->d[4], a->d[5]); - extract(l[9]); - muladd2(a->d[3], a->d[7]); - muladd2(a->d[4], a->d[6]); - muladd(a->d[5], a->d[5]); - extract(l[10]); - muladd2(a->d[4], a->d[7]); - muladd2(a->d[5], a->d[6]); - extract(l[11]); - muladd2(a->d[5], a->d[7]); - muladd(a->d[6], a->d[6]); - extract(l[12]); - muladd2(a->d[6], a->d[7]); - extract(l[13]); - muladd_fast(a->d[7], a->d[7]); - extract_fast(l[14]); - VERIFY_CHECK(c1 == 0); - l[15] = c0; -} - #undef sumadd #undef sumadd_fast #undef muladd #undef muladd_fast -#undef muladd2 #undef extract #undef extract_fast -static void rustsecp256k1zkp_v0_5_0_scalar_mul(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static void rustsecp256k1zkp_v0_6_0_scalar_mul(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { uint32_t l[16]; - rustsecp256k1zkp_v0_5_0_scalar_mul_512(l, a, b); - rustsecp256k1zkp_v0_5_0_scalar_reduce_512(r, l); + rustsecp256k1zkp_v0_6_0_scalar_mul_512(l, a, b); + rustsecp256k1zkp_v0_6_0_scalar_reduce_512(r, l); } -static int rustsecp256k1zkp_v0_5_0_scalar_shr_int(rustsecp256k1zkp_v0_5_0_scalar *r, int n) { +static int rustsecp256k1zkp_v0_6_0_scalar_shr_int(rustsecp256k1zkp_v0_6_0_scalar *r, int n) { int ret; VERIFY_CHECK(n > 0); VERIFY_CHECK(n < 16); @@ -679,13 +598,7 @@ static int rustsecp256k1zkp_v0_5_0_scalar_shr_int(rustsecp256k1zkp_v0_5_0_scalar return ret; } -static void rustsecp256k1zkp_v0_5_0_scalar_sqr(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a) { - uint32_t l[16]; - rustsecp256k1zkp_v0_5_0_scalar_sqr_512(l, a); - rustsecp256k1zkp_v0_5_0_scalar_reduce_512(r, l); -} - -static void rustsecp256k1zkp_v0_5_0_scalar_split_128(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k) { +static void rustsecp256k1zkp_v0_6_0_scalar_split_128(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k) { r1->d[0] = k->d[0]; r1->d[1] = k->d[1]; r1->d[2] = k->d[2]; @@ -704,17 +617,17 @@ static void rustsecp256k1zkp_v0_5_0_scalar_split_128(rustsecp256k1zkp_v0_5_0_sca r2->d[7] = 0; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_eq(const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_eq(const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3]) | (a->d[4] ^ b->d[4]) | (a->d[5] ^ b->d[5]) | (a->d[6] ^ b->d[6]) | (a->d[7] ^ b->d[7])) == 0; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b, unsigned int shift) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_mul_shift_var(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b, unsigned int shift) { uint32_t l[16]; unsigned int shiftlimbs; unsigned int shiftlow; unsigned int shifthigh; VERIFY_CHECK(shift >= 256); - rustsecp256k1zkp_v0_5_0_scalar_mul_512(l, a, b); + rustsecp256k1zkp_v0_6_0_scalar_mul_512(l, a, b); shiftlimbs = shift >> 5; shiftlow = shift & 0x1F; shifthigh = 32 - shiftlow; @@ -726,10 +639,10 @@ SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(rustse r->d[5] = shift < 352 ? (l[5 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[6 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[6] = shift < 320 ? (l[6 + shiftlimbs] >> shiftlow | (shift < 288 && shiftlow ? (l[7 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[7] = shift < 288 ? (l[7 + shiftlimbs] >> shiftlow) : 0; - rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 5] >> ((shift - 1) & 0x1f)) & 1); + rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 5] >> ((shift - 1) & 0x1f)) & 1); } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_scalar_cmov(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_scalar_cmov(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, int flag) { uint32_t mask0, mask1; VG_CHECK_VERIFY(r->d, sizeof(r->d)); mask0 = flag + ~((uint32_t)0); @@ -757,7 +670,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_scalar_cmov(rustsecp256k1zk #define LE32(p) (p) #endif -static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const unsigned char *seed, uint64_t idx) { +static void rustsecp256k1zkp_v0_6_0_scalar_chacha20(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const unsigned char *seed, uint64_t idx) { size_t n; size_t over_count = 0; uint32_t seed32[8]; @@ -829,8 +742,8 @@ static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scal r2->d[1] = x14; r2->d[0] = x15; - over1 = rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r1); - over2 = rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r2); + over1 = rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r1); + over2 = rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r2); over_count++; } while (over1 | over2); } @@ -839,4 +752,92 @@ static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scal #undef QUARTERROUND #undef LE32 +static void rustsecp256k1zkp_v0_6_0_scalar_from_signed30(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_modinv32_signed30 *a) { + const uint32_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4], + a5 = a->v[5], a6 = a->v[6], a7 = a->v[7], a8 = a->v[8]; + + /* The output from rustsecp256k1zkp_v0_6_0_modinv32{_var} should be normalized to range [0,modulus), and + * have limbs in [0,2^30). The modulus is < 2^256, so the top limb must be below 2^(256-30*8). + */ + VERIFY_CHECK(a0 >> 30 == 0); + VERIFY_CHECK(a1 >> 30 == 0); + VERIFY_CHECK(a2 >> 30 == 0); + VERIFY_CHECK(a3 >> 30 == 0); + VERIFY_CHECK(a4 >> 30 == 0); + VERIFY_CHECK(a5 >> 30 == 0); + VERIFY_CHECK(a6 >> 30 == 0); + VERIFY_CHECK(a7 >> 30 == 0); + VERIFY_CHECK(a8 >> 16 == 0); + + r->d[0] = a0 | a1 << 30; + r->d[1] = a1 >> 2 | a2 << 28; + r->d[2] = a2 >> 4 | a3 << 26; + r->d[3] = a3 >> 6 | a4 << 24; + r->d[4] = a4 >> 8 | a5 << 22; + r->d[5] = a5 >> 10 | a6 << 20; + r->d[6] = a6 >> 12 | a7 << 18; + r->d[7] = a7 >> 14 | a8 << 16; + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r) == 0); +#endif +} + +static void rustsecp256k1zkp_v0_6_0_scalar_to_signed30(rustsecp256k1zkp_v0_6_0_modinv32_signed30 *r, const rustsecp256k1zkp_v0_6_0_scalar *a) { + const uint32_t M30 = UINT32_MAX >> 2; + const uint32_t a0 = a->d[0], a1 = a->d[1], a2 = a->d[2], a3 = a->d[3], + a4 = a->d[4], a5 = a->d[5], a6 = a->d[6], a7 = a->d[7]; + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(a) == 0); +#endif + + r->v[0] = a0 & M30; + r->v[1] = (a0 >> 30 | a1 << 2) & M30; + r->v[2] = (a1 >> 28 | a2 << 4) & M30; + r->v[3] = (a2 >> 26 | a3 << 6) & M30; + r->v[4] = (a3 >> 24 | a4 << 8) & M30; + r->v[5] = (a4 >> 22 | a5 << 10) & M30; + r->v[6] = (a5 >> 20 | a6 << 12) & M30; + r->v[7] = (a6 >> 18 | a7 << 14) & M30; + r->v[8] = a7 >> 16; +} + +static const rustsecp256k1zkp_v0_6_0_modinv32_modinfo rustsecp256k1zkp_v0_6_0_const_modinfo_scalar = { + {{0x10364141L, 0x3F497A33L, 0x348A03BBL, 0x2BB739ABL, -0x146L, 0, 0, 0, 65536}}, + 0x2A774EC1L +}; + +static void rustsecp256k1zkp_v0_6_0_scalar_inverse(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *x) { + rustsecp256k1zkp_v0_6_0_modinv32_signed30 s; +#ifdef VERIFY + int zero_in = rustsecp256k1zkp_v0_6_0_scalar_is_zero(x); +#endif + rustsecp256k1zkp_v0_6_0_scalar_to_signed30(&s, x); + rustsecp256k1zkp_v0_6_0_modinv32(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_scalar); + rustsecp256k1zkp_v0_6_0_scalar_from_signed30(r, &s); + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(r) == zero_in); +#endif +} + +static void rustsecp256k1zkp_v0_6_0_scalar_inverse_var(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *x) { + rustsecp256k1zkp_v0_6_0_modinv32_signed30 s; +#ifdef VERIFY + int zero_in = rustsecp256k1zkp_v0_6_0_scalar_is_zero(x); +#endif + rustsecp256k1zkp_v0_6_0_scalar_to_signed30(&s, x); + rustsecp256k1zkp_v0_6_0_modinv32_var(&s, &rustsecp256k1zkp_v0_6_0_const_modinfo_scalar); + rustsecp256k1zkp_v0_6_0_scalar_from_signed30(r, &s); + +#ifdef VERIFY + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(r) == zero_in); +#endif +} + +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_even(const rustsecp256k1zkp_v0_6_0_scalar *a) { + return !(a->d[0] & 1); +} + #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_impl.h index 0dad6be5..b448ff67 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_impl.h @@ -28,232 +28,13 @@ #error "Please select wide multiplication implementation" #endif -static const rustsecp256k1zkp_v0_5_0_scalar rustsecp256k1zkp_v0_5_0_scalar_one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); -static const rustsecp256k1zkp_v0_5_0_scalar rustsecp256k1zkp_v0_5_0_scalar_zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); +static const rustsecp256k1zkp_v0_6_0_scalar rustsecp256k1zkp_v0_6_0_scalar_one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); +static const rustsecp256k1zkp_v0_6_0_scalar rustsecp256k1zkp_v0_6_0_scalar_zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); -#ifndef USE_NUM_NONE -static void rustsecp256k1zkp_v0_5_0_scalar_get_num(rustsecp256k1zkp_v0_5_0_num *r, const rustsecp256k1zkp_v0_5_0_scalar *a) { - unsigned char c[32]; - rustsecp256k1zkp_v0_5_0_scalar_get_b32(c, a); - rustsecp256k1zkp_v0_5_0_num_set_bin(r, c, 32); -} - -/** secp256k1 curve order, see rustsecp256k1zkp_v0_5_0_ecdsa_const_order_as_fe in ecdsa_impl.h */ -static void rustsecp256k1zkp_v0_5_0_scalar_order_get_num(rustsecp256k1zkp_v0_5_0_num *r) { -#if defined(EXHAUSTIVE_TEST_ORDER) - static const unsigned char order[32] = { - 0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,EXHAUSTIVE_TEST_ORDER - }; -#else - static const unsigned char order[32] = { - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, - 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, - 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41 - }; -#endif - rustsecp256k1zkp_v0_5_0_num_set_bin(r, order, 32); -} -#endif - -static int rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char *bin) { +static int rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char *bin) { int overflow; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, bin, &overflow); - return (!overflow) & (!rustsecp256k1zkp_v0_5_0_scalar_is_zero(r)); -} - -static void rustsecp256k1zkp_v0_5_0_scalar_inverse(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *x) { -#if defined(EXHAUSTIVE_TEST_ORDER) - int i; - *r = 0; - for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) - if ((i * *x) % EXHAUSTIVE_TEST_ORDER == 1) - *r = i; - /* If this VERIFY_CHECK triggers we were given a noninvertible scalar (and thus - * have a composite group order; fix it in exhaustive_tests.c). */ - VERIFY_CHECK(*r != 0); -} -#else - rustsecp256k1zkp_v0_5_0_scalar *t; - int i; - /* First compute xN as x ^ (2^N - 1) for some values of N, - * and uM as x ^ M for some values of M. */ - rustsecp256k1zkp_v0_5_0_scalar x2, x3, x6, x8, x14, x28, x56, x112, x126; - rustsecp256k1zkp_v0_5_0_scalar u2, u5, u9, u11, u13; - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&u2, x); - rustsecp256k1zkp_v0_5_0_scalar_mul(&x2, &u2, x); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u5, &u2, &x2); - rustsecp256k1zkp_v0_5_0_scalar_mul(&x3, &u5, &u2); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u9, &x3, &u2); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u11, &u9, &u2); - rustsecp256k1zkp_v0_5_0_scalar_mul(&u13, &u11, &u2); - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x6, &u13); - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x6, &x6); - rustsecp256k1zkp_v0_5_0_scalar_mul(&x6, &x6, &u11); - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x8, &x6); - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x8, &x8); - rustsecp256k1zkp_v0_5_0_scalar_mul(&x8, &x8, &x2); - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x14, &x8); - for (i = 0; i < 5; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x14, &x14); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(&x14, &x14, &x6); - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x28, &x14); - for (i = 0; i < 13; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x28, &x28); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(&x28, &x28, &x14); - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x56, &x28); - for (i = 0; i < 27; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x56, &x56); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(&x56, &x56, &x28); - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x112, &x56); - for (i = 0; i < 55; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x112, &x112); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(&x112, &x112, &x56); - - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x126, &x112); - for (i = 0; i < 13; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(&x126, &x126); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(&x126, &x126, &x14); - - /* Then accumulate the final result (t starts at x126). */ - t = &x126; - for (i = 0; i < 3; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u5); /* 101 */ - for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x3); /* 111 */ - for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u5); /* 101 */ - for (i = 0; i < 5; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u11); /* 1011 */ - for (i = 0; i < 4; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u11); /* 1011 */ - for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x3); /* 111 */ - for (i = 0; i < 5; i++) { /* 00 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x3); /* 111 */ - for (i = 0; i < 6; i++) { /* 00 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u13); /* 1101 */ - for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u5); /* 101 */ - for (i = 0; i < 3; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x3); /* 111 */ - for (i = 0; i < 5; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u9); /* 1001 */ - for (i = 0; i < 6; i++) { /* 000 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u5); /* 101 */ - for (i = 0; i < 10; i++) { /* 0000000 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x3); /* 111 */ - for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x3); /* 111 */ - for (i = 0; i < 9; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x8); /* 11111111 */ - for (i = 0; i < 5; i++) { /* 0 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u9); /* 1001 */ - for (i = 0; i < 6; i++) { /* 00 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u11); /* 1011 */ - for (i = 0; i < 4; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u13); /* 1101 */ - for (i = 0; i < 5; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &x2); /* 11 */ - for (i = 0; i < 6; i++) { /* 00 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u13); /* 1101 */ - for (i = 0; i < 10; i++) { /* 000000 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u13); /* 1101 */ - for (i = 0; i < 4; i++) { - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, &u9); /* 1001 */ - for (i = 0; i < 6; i++) { /* 00000 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(t, t, x); /* 1 */ - for (i = 0; i < 8; i++) { /* 00 */ - rustsecp256k1zkp_v0_5_0_scalar_sqr(t, t); - } - rustsecp256k1zkp_v0_5_0_scalar_mul(r, t, &x6); /* 111111 */ -} - -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_even(const rustsecp256k1zkp_v0_5_0_scalar *a) { - return !(a->d[0] & 1); -} -#endif - -static void rustsecp256k1zkp_v0_5_0_scalar_inverse_var(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *x) { -#if defined(USE_SCALAR_INV_BUILTIN) - rustsecp256k1zkp_v0_5_0_scalar_inverse(r, x); -#elif defined(USE_SCALAR_INV_NUM) - unsigned char b[32]; - rustsecp256k1zkp_v0_5_0_num n, m; - rustsecp256k1zkp_v0_5_0_scalar t = *x; - rustsecp256k1zkp_v0_5_0_scalar_get_b32(b, &t); - rustsecp256k1zkp_v0_5_0_num_set_bin(&n, b, 32); - rustsecp256k1zkp_v0_5_0_scalar_order_get_num(&m); - rustsecp256k1zkp_v0_5_0_num_mod_inverse(&n, &n, &m); - rustsecp256k1zkp_v0_5_0_num_get_bin(b, 32, &n); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, b, NULL); - /* Verify that the inverse was computed correctly, without GMP code. */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&t, &t, r); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_one(&t)); -#else -#error "Please select scalar inverse implementation" -#endif + rustsecp256k1zkp_v0_6_0_scalar_set_b32(r, bin, &overflow); + return (!overflow) & (!rustsecp256k1zkp_v0_6_0_scalar_is_zero(r)); } /* These parameters are generated using sage/gen_exhaustive_groups.sage. */ @@ -272,7 +53,7 @@ static void rustsecp256k1zkp_v0_5_0_scalar_inverse_var(rustsecp256k1zkp_v0_5_0_s * nontrivial to get full test coverage for the exhaustive tests. We therefore * (arbitrarily) set r2 = k + 5 (mod n) and r1 = k - r2 * lambda (mod n). */ -static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k) { +static void rustsecp256k1zkp_v0_6_0_scalar_split_lambda(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k) { *r2 = (*k + 5) % EXHAUSTIVE_TEST_ORDER; *r1 = (*k + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER; } @@ -280,13 +61,13 @@ static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda(rustsecp256k1zkp_v0_5_0_ /** * The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where * lambda is: */ -static const rustsecp256k1zkp_v0_5_0_scalar rustsecp256k1zkp_v0_5_0_const_lambda = SECP256K1_SCALAR_CONST( +static const rustsecp256k1zkp_v0_6_0_scalar rustsecp256k1zkp_v0_6_0_const_lambda = SECP256K1_SCALAR_CONST( 0x5363AD4CUL, 0xC05C30E0UL, 0xA5261C02UL, 0x8812645AUL, 0x122E22EAUL, 0x20816678UL, 0xDF02967CUL, 0x1B23BD72UL ); #ifdef VERIFY -static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda_verify(const rustsecp256k1zkp_v0_5_0_scalar *r1, const rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k); +static void rustsecp256k1zkp_v0_6_0_scalar_split_lambda_verify(const rustsecp256k1zkp_v0_6_0_scalar *r1, const rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k); #endif /* @@ -339,44 +120,44 @@ static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda_verify(const rustsecp256 * * See proof below. */ -static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k) { - rustsecp256k1zkp_v0_5_0_scalar c1, c2; - static const rustsecp256k1zkp_v0_5_0_scalar minus_b1 = SECP256K1_SCALAR_CONST( +static void rustsecp256k1zkp_v0_6_0_scalar_split_lambda(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k) { + rustsecp256k1zkp_v0_6_0_scalar c1, c2; + static const rustsecp256k1zkp_v0_6_0_scalar minus_b1 = SECP256K1_SCALAR_CONST( 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL, 0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C3UL ); - static const rustsecp256k1zkp_v0_5_0_scalar minus_b2 = SECP256K1_SCALAR_CONST( + static const rustsecp256k1zkp_v0_6_0_scalar minus_b2 = SECP256K1_SCALAR_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 0x8A280AC5UL, 0x0774346DUL, 0xD765CDA8UL, 0x3DB1562CUL ); - static const rustsecp256k1zkp_v0_5_0_scalar g1 = SECP256K1_SCALAR_CONST( + static const rustsecp256k1zkp_v0_6_0_scalar g1 = SECP256K1_SCALAR_CONST( 0x3086D221UL, 0xA7D46BCDUL, 0xE86C90E4UL, 0x9284EB15UL, 0x3DAA8A14UL, 0x71E8CA7FUL, 0xE893209AUL, 0x45DBB031UL ); - static const rustsecp256k1zkp_v0_5_0_scalar g2 = SECP256K1_SCALAR_CONST( + static const rustsecp256k1zkp_v0_6_0_scalar g2 = SECP256K1_SCALAR_CONST( 0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C4UL, 0x221208ACUL, 0x9DF506C6UL, 0x1571B4AEUL, 0x8AC47F71UL ); VERIFY_CHECK(r1 != k); VERIFY_CHECK(r2 != k); /* these _var calls are constant time since the shift amount is constant */ - rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(&c1, k, &g1, 384); - rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(&c2, k, &g2, 384); - rustsecp256k1zkp_v0_5_0_scalar_mul(&c1, &c1, &minus_b1); - rustsecp256k1zkp_v0_5_0_scalar_mul(&c2, &c2, &minus_b2); - rustsecp256k1zkp_v0_5_0_scalar_add(r2, &c1, &c2); - rustsecp256k1zkp_v0_5_0_scalar_mul(r1, r2, &rustsecp256k1zkp_v0_5_0_const_lambda); - rustsecp256k1zkp_v0_5_0_scalar_negate(r1, r1); - rustsecp256k1zkp_v0_5_0_scalar_add(r1, r1, k); + rustsecp256k1zkp_v0_6_0_scalar_mul_shift_var(&c1, k, &g1, 384); + rustsecp256k1zkp_v0_6_0_scalar_mul_shift_var(&c2, k, &g2, 384); + rustsecp256k1zkp_v0_6_0_scalar_mul(&c1, &c1, &minus_b1); + rustsecp256k1zkp_v0_6_0_scalar_mul(&c2, &c2, &minus_b2); + rustsecp256k1zkp_v0_6_0_scalar_add(r2, &c1, &c2); + rustsecp256k1zkp_v0_6_0_scalar_mul(r1, r2, &rustsecp256k1zkp_v0_6_0_const_lambda); + rustsecp256k1zkp_v0_6_0_scalar_negate(r1, r1); + rustsecp256k1zkp_v0_6_0_scalar_add(r1, r1, k); #ifdef VERIFY - rustsecp256k1zkp_v0_5_0_scalar_split_lambda_verify(r1, r2, k); + rustsecp256k1zkp_v0_6_0_scalar_split_lambda_verify(r1, r2, k); #endif } #ifdef VERIFY /* - * Proof for rustsecp256k1zkp_v0_5_0_scalar_split_lambda's bounds. + * Proof for rustsecp256k1zkp_v0_6_0_scalar_split_lambda's bounds. * * Let * - epsilon1 = 2^256 * |g1/2^384 - b2/d| @@ -479,8 +260,8 @@ static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda(rustsecp256k1zkp_v0_5_0_ * * Q.E.D. */ -static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda_verify(const rustsecp256k1zkp_v0_5_0_scalar *r1, const rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *k) { - rustsecp256k1zkp_v0_5_0_scalar s; +static void rustsecp256k1zkp_v0_6_0_scalar_split_lambda_verify(const rustsecp256k1zkp_v0_6_0_scalar *r1, const rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *k) { + rustsecp256k1zkp_v0_6_0_scalar s; unsigned char buf1[32]; unsigned char buf2[32]; @@ -496,19 +277,19 @@ static void rustsecp256k1zkp_v0_5_0_scalar_split_lambda_verify(const rustsecp256 0x8a, 0x65, 0x28, 0x7b, 0xd4, 0x71, 0x79, 0xfb, 0x2b, 0xe0, 0x88, 0x46, 0xce, 0xa2, 0x67, 0xed }; - rustsecp256k1zkp_v0_5_0_scalar_mul(&s, &rustsecp256k1zkp_v0_5_0_const_lambda, r2); - rustsecp256k1zkp_v0_5_0_scalar_add(&s, &s, r1); - VERIFY_CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&s, k)); + rustsecp256k1zkp_v0_6_0_scalar_mul(&s, &rustsecp256k1zkp_v0_6_0_const_lambda, r2); + rustsecp256k1zkp_v0_6_0_scalar_add(&s, &s, r1); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&s, k)); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, r1); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf1, r1); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf2, &s); - VERIFY_CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(buf1, k1_bound, 32) < 0 || rustsecp256k1zkp_v0_5_0_memcmp_var(buf2, k1_bound, 32) < 0); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, r1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf1, r1); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf2, &s); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(buf1, k1_bound, 32) < 0 || rustsecp256k1zkp_v0_6_0_memcmp_var(buf2, k1_bound, 32) < 0); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, r2); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf1, r2); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(buf2, &s); - VERIFY_CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(buf1, k2_bound, 32) < 0 || rustsecp256k1zkp_v0_5_0_memcmp_var(buf2, k2_bound, 32) < 0); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, r2); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf1, r2); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(buf2, &s); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(buf1, k2_bound, 32) < 0 || rustsecp256k1zkp_v0_6_0_memcmp_var(buf2, k2_bound, 32) < 0); } #endif /* VERIFY */ #endif /* !defined(EXHAUSTIVE_TEST_ORDER) */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low.h index 1552adee..29868835 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low.h @@ -10,7 +10,7 @@ #include /** A scalar modulo the group order of the secp256k1 curve. */ -typedef uint32_t rustsecp256k1zkp_v0_5_0_scalar; +typedef uint32_t rustsecp256k1zkp_v0_6_0_scalar; #define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) (d0) diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low_impl.h index 826bdefd..736dc509 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scalar_low_impl.h @@ -11,44 +11,44 @@ #include -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_even(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_even(const rustsecp256k1zkp_v0_6_0_scalar *a) { return !(*a & 1); } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_clear(rustsecp256k1zkp_v0_5_0_scalar *r) { *r = 0; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_int(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int v) { *r = v; } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_set_u64(rustsecp256k1zkp_v0_5_0_scalar *r, uint64_t v) { *r = v % EXHAUSTIVE_TEST_ORDER; } +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_clear(rustsecp256k1zkp_v0_6_0_scalar *r) { *r = 0; } +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_set_int(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int v) { *r = v; } +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_set_u64(rustsecp256k1zkp_v0_6_0_scalar *r, uint64_t v) { *r = v % EXHAUSTIVE_TEST_ORDER; } -SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count) { if (offset < 32) return ((*a >> offset) & ((((uint32_t)1) << count) - 1)); else return 0; } -SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_5_0_scalar *a, unsigned int offset, unsigned int count) { - return rustsecp256k1zkp_v0_5_0_scalar_get_bits(a, offset, count); +SECP256K1_INLINE static unsigned int rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(const rustsecp256k1zkp_v0_6_0_scalar *a, unsigned int offset, unsigned int count) { + return rustsecp256k1zkp_v0_6_0_scalar_get_bits(a, offset, count); } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_check_overflow(const rustsecp256k1zkp_v0_5_0_scalar *a) { return *a >= EXHAUSTIVE_TEST_ORDER; } +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_check_overflow(const rustsecp256k1zkp_v0_6_0_scalar *a) { return *a >= EXHAUSTIVE_TEST_ORDER; } -static int rustsecp256k1zkp_v0_5_0_scalar_add(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static int rustsecp256k1zkp_v0_6_0_scalar_add(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { *r = (*a + *b) % EXHAUSTIVE_TEST_ORDER; return *r < *b; } -static void rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(rustsecp256k1zkp_v0_5_0_scalar *r, unsigned int bit, int flag) { +static void rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(rustsecp256k1zkp_v0_6_0_scalar *r, unsigned int bit, int flag) { if (flag && bit < 32) *r += ((uint32_t)1 << bit); #ifdef VERIFY VERIFY_CHECK(bit < 32); /* Verify that adding (1 << bit) will not overflow any in-range scalar *r by overflowing the underlying uint32_t. */ VERIFY_CHECK(((uint32_t)1 << bit) - 1 <= UINT32_MAX - EXHAUSTIVE_TEST_ORDER); - VERIFY_CHECK(rustsecp256k1zkp_v0_5_0_scalar_check_overflow(r) == 0); + VERIFY_CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(r) == 0); #endif } -static void rustsecp256k1zkp_v0_5_0_scalar_set_b32(rustsecp256k1zkp_v0_5_0_scalar *r, const unsigned char *b32, int *overflow) { +static void rustsecp256k1zkp_v0_6_0_scalar_set_b32(rustsecp256k1zkp_v0_6_0_scalar *r, const unsigned char *b32, int *overflow) { int i; int over = 0; *r = 0; @@ -62,16 +62,16 @@ static void rustsecp256k1zkp_v0_5_0_scalar_set_b32(rustsecp256k1zkp_v0_5_0_scala if (overflow) *overflow = over; } -static void rustsecp256k1zkp_v0_5_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_5_0_scalar* a) { +static void rustsecp256k1zkp_v0_6_0_scalar_get_b32(unsigned char *bin, const rustsecp256k1zkp_v0_6_0_scalar* a) { memset(bin, 0, 32); bin[28] = *a >> 24; bin[29] = *a >> 16; bin[30] = *a >> 8; bin[31] = *a; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_zero(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_zero(const rustsecp256k1zkp_v0_6_0_scalar *a) { return *a == 0; } -static void rustsecp256k1zkp_v0_5_0_scalar_negate(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a) { +static void rustsecp256k1zkp_v0_6_0_scalar_negate(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a) { if (*a == 0) { *r = 0; } else { @@ -79,24 +79,24 @@ static void rustsecp256k1zkp_v0_5_0_scalar_negate(rustsecp256k1zkp_v0_5_0_scalar } } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_is_one(const rustsecp256k1zkp_v0_5_0_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_is_one(const rustsecp256k1zkp_v0_6_0_scalar *a) { return *a == 1; } -static int rustsecp256k1zkp_v0_5_0_scalar_is_high(const rustsecp256k1zkp_v0_5_0_scalar *a) { +static int rustsecp256k1zkp_v0_6_0_scalar_is_high(const rustsecp256k1zkp_v0_6_0_scalar *a) { return *a > EXHAUSTIVE_TEST_ORDER / 2; } -static int rustsecp256k1zkp_v0_5_0_scalar_cond_negate(rustsecp256k1zkp_v0_5_0_scalar *r, int flag) { - if (flag) rustsecp256k1zkp_v0_5_0_scalar_negate(r, r); +static int rustsecp256k1zkp_v0_6_0_scalar_cond_negate(rustsecp256k1zkp_v0_6_0_scalar *r, int flag) { + if (flag) rustsecp256k1zkp_v0_6_0_scalar_negate(r, r); return flag ? -1 : 1; } -static void rustsecp256k1zkp_v0_5_0_scalar_mul(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +static void rustsecp256k1zkp_v0_6_0_scalar_mul(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { *r = (*a * *b) % EXHAUSTIVE_TEST_ORDER; } -static int rustsecp256k1zkp_v0_5_0_scalar_shr_int(rustsecp256k1zkp_v0_5_0_scalar *r, int n) { +static int rustsecp256k1zkp_v0_6_0_scalar_shr_int(rustsecp256k1zkp_v0_6_0_scalar *r, int n) { int ret; VERIFY_CHECK(n > 0); VERIFY_CHECK(n < 16); @@ -105,20 +105,16 @@ static int rustsecp256k1zkp_v0_5_0_scalar_shr_int(rustsecp256k1zkp_v0_5_0_scalar return ret; } -static void rustsecp256k1zkp_v0_5_0_scalar_sqr(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a) { - *r = (*a * *a) % EXHAUSTIVE_TEST_ORDER; -} - -static void rustsecp256k1zkp_v0_5_0_scalar_split_128(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const rustsecp256k1zkp_v0_5_0_scalar *a) { +static void rustsecp256k1zkp_v0_6_0_scalar_split_128(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const rustsecp256k1zkp_v0_6_0_scalar *a) { *r1 = *a; *r2 = 0; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_scalar_eq(const rustsecp256k1zkp_v0_5_0_scalar *a, const rustsecp256k1zkp_v0_5_0_scalar *b) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_scalar_eq(const rustsecp256k1zkp_v0_6_0_scalar *a, const rustsecp256k1zkp_v0_6_0_scalar *b) { return *a == *b; } -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_scalar_cmov(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_scalar *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_scalar_cmov(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *a, int flag) { uint32_t mask0, mask1; VG_CHECK_VERIFY(r, sizeof(*r)); mask0 = flag + ~((uint32_t)0); @@ -126,9 +122,24 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_scalar_cmov(rustsecp256k1zk *r = (*r & mask0) | (*a & mask1); } -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_scalar_chacha20(rustsecp256k1zkp_v0_5_0_scalar *r1, rustsecp256k1zkp_v0_5_0_scalar *r2, const unsigned char *seed, uint64_t n) { +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_scalar_chacha20(rustsecp256k1zkp_v0_6_0_scalar *r1, rustsecp256k1zkp_v0_6_0_scalar *r2, const unsigned char *seed, uint64_t n) { *r1 = (seed[0] + n) % EXHAUSTIVE_TEST_ORDER; *r2 = (seed[1] + n) % EXHAUSTIVE_TEST_ORDER; } +static void rustsecp256k1zkp_v0_6_0_scalar_inverse(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *x) { + int i; + *r = 0; + for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) + if ((i * *x) % EXHAUSTIVE_TEST_ORDER == 1) + *r = i; + /* If this VERIFY_CHECK triggers we were given a noninvertible scalar (and thus + * have a composite group order; fix it in exhaustive_tests.c). */ + VERIFY_CHECK(*r != 0); +} + +static void rustsecp256k1zkp_v0_6_0_scalar_inverse_var(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_scalar *x) { + rustsecp256k1zkp_v0_6_0_scalar_inverse(r, x); +} + #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scratch.h b/secp256k1-zkp-sys/depend/secp256k1/src/scratch.h index 2801db25..5084f2ca 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scratch.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scratch.h @@ -9,7 +9,7 @@ /* The typedef is used internally; the struct name is used in the public API * (where it is exposed as a different typedef) */ -typedef struct rustsecp256k1zkp_v0_5_0_scratch_space_struct { +typedef struct rustsecp256k1zkp_v0_6_0_scratch_space_struct { /** guard against interpreting this object as other types */ unsigned char magic[8]; /** actual allocated data */ @@ -19,24 +19,24 @@ typedef struct rustsecp256k1zkp_v0_5_0_scratch_space_struct { size_t alloc_size; /** maximum size available to allocate */ size_t max_size; -} rustsecp256k1zkp_v0_5_0_scratch; +} rustsecp256k1zkp_v0_6_0_scratch; -static rustsecp256k1zkp_v0_5_0_scratch* rustsecp256k1zkp_v0_5_0_scratch_create(const rustsecp256k1zkp_v0_5_0_callback* error_callback, size_t max_size); +static rustsecp256k1zkp_v0_6_0_scratch* rustsecp256k1zkp_v0_6_0_scratch_create(const rustsecp256k1zkp_v0_6_0_callback* error_callback, size_t max_size); -static void rustsecp256k1zkp_v0_5_0_scratch_destroy(const rustsecp256k1zkp_v0_5_0_callback* error_callback, rustsecp256k1zkp_v0_5_0_scratch* scratch); +static void rustsecp256k1zkp_v0_6_0_scratch_destroy(const rustsecp256k1zkp_v0_6_0_callback* error_callback, rustsecp256k1zkp_v0_6_0_scratch* scratch); /** Returns an opaque object used to "checkpoint" a scratch space. Used - * with `rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint` to undo allocations. */ -static size_t rustsecp256k1zkp_v0_5_0_scratch_checkpoint(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_scratch* scratch); + * with `rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint` to undo allocations. */ +static size_t rustsecp256k1zkp_v0_6_0_scratch_checkpoint(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_scratch* scratch); -/** Applies a check point received from `rustsecp256k1zkp_v0_5_0_scratch_checkpoint`, +/** Applies a check point received from `rustsecp256k1zkp_v0_6_0_scratch_checkpoint`, * undoing all allocations since that point. */ -static void rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(const rustsecp256k1zkp_v0_5_0_callback* error_callback, rustsecp256k1zkp_v0_5_0_scratch* scratch, size_t checkpoint); +static void rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(const rustsecp256k1zkp_v0_6_0_callback* error_callback, rustsecp256k1zkp_v0_6_0_scratch* scratch, size_t checkpoint); /** Returns the maximum allocation the scratch space will allow */ -static size_t rustsecp256k1zkp_v0_5_0_scratch_max_allocation(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_scratch* scratch, size_t n_objects); +static size_t rustsecp256k1zkp_v0_6_0_scratch_max_allocation(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_scratch* scratch, size_t n_objects); /** Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available space */ -static void *rustsecp256k1zkp_v0_5_0_scratch_alloc(const rustsecp256k1zkp_v0_5_0_callback* error_callback, rustsecp256k1zkp_v0_5_0_scratch* scratch, size_t n); +static void *rustsecp256k1zkp_v0_6_0_scratch_alloc(const rustsecp256k1zkp_v0_6_0_callback* error_callback, rustsecp256k1zkp_v0_6_0_scratch* scratch, size_t n); #endif diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/scratch_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/scratch_impl.h index 9ea4ed14..4afcd5ba 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/scratch_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/scratch_impl.h @@ -10,29 +10,29 @@ #include "util.h" #include "scratch.h" -static size_t rustsecp256k1zkp_v0_5_0_scratch_checkpoint(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_scratch* scratch) { - if (rustsecp256k1zkp_v0_5_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1zkp_v0_5_0_callback_call(error_callback, "invalid scratch space"); +static size_t rustsecp256k1zkp_v0_6_0_scratch_checkpoint(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_scratch* scratch) { + if (rustsecp256k1zkp_v0_6_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { + rustsecp256k1zkp_v0_6_0_callback_call(error_callback, "invalid scratch space"); return 0; } return scratch->alloc_size; } -static void rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(const rustsecp256k1zkp_v0_5_0_callback* error_callback, rustsecp256k1zkp_v0_5_0_scratch* scratch, size_t checkpoint) { - if (rustsecp256k1zkp_v0_5_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1zkp_v0_5_0_callback_call(error_callback, "invalid scratch space"); +static void rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(const rustsecp256k1zkp_v0_6_0_callback* error_callback, rustsecp256k1zkp_v0_6_0_scratch* scratch, size_t checkpoint) { + if (rustsecp256k1zkp_v0_6_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { + rustsecp256k1zkp_v0_6_0_callback_call(error_callback, "invalid scratch space"); return; } if (checkpoint > scratch->alloc_size) { - rustsecp256k1zkp_v0_5_0_callback_call(error_callback, "invalid checkpoint"); + rustsecp256k1zkp_v0_6_0_callback_call(error_callback, "invalid checkpoint"); return; } scratch->alloc_size = checkpoint; } -static size_t rustsecp256k1zkp_v0_5_0_scratch_max_allocation(const rustsecp256k1zkp_v0_5_0_callback* error_callback, const rustsecp256k1zkp_v0_5_0_scratch* scratch, size_t objects) { - if (rustsecp256k1zkp_v0_5_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1zkp_v0_5_0_callback_call(error_callback, "invalid scratch space"); +static size_t rustsecp256k1zkp_v0_6_0_scratch_max_allocation(const rustsecp256k1zkp_v0_6_0_callback* error_callback, const rustsecp256k1zkp_v0_6_0_scratch* scratch, size_t objects) { + if (rustsecp256k1zkp_v0_6_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { + rustsecp256k1zkp_v0_6_0_callback_call(error_callback, "invalid scratch space"); return 0; } /* Ensure that multiplication will not wrap around */ @@ -45,7 +45,7 @@ static size_t rustsecp256k1zkp_v0_5_0_scratch_max_allocation(const rustsecp256k1 return scratch->max_size - scratch->alloc_size - objects * (ALIGNMENT - 1); } -static void *rustsecp256k1zkp_v0_5_0_scratch_alloc(const rustsecp256k1zkp_v0_5_0_callback* error_callback, rustsecp256k1zkp_v0_5_0_scratch* scratch, size_t size) { +static void *rustsecp256k1zkp_v0_6_0_scratch_alloc(const rustsecp256k1zkp_v0_6_0_callback* error_callback, rustsecp256k1zkp_v0_6_0_scratch* scratch, size_t size) { void *ret; size_t rounded_size; @@ -56,8 +56,8 @@ static void *rustsecp256k1zkp_v0_5_0_scratch_alloc(const rustsecp256k1zkp_v0_5_0 } size = rounded_size; - if (rustsecp256k1zkp_v0_5_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1zkp_v0_5_0_callback_call(error_callback, "invalid scratch space"); + if (rustsecp256k1zkp_v0_6_0_memcmp_var(scratch->magic, "scratch", 8) != 0) { + rustsecp256k1zkp_v0_6_0_callback_call(error_callback, "invalid scratch space"); return NULL; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c b/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c index 7711630b..d88ea6e0 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c @@ -4,12 +4,13 @@ * file COPYING or https://www.opensource.org/licenses/mit-license.php.* ***********************************************************************/ -#include "include/secp256k1.h" -#include "include/secp256k1_preallocated.h" +#define SECP256K1_BUILD + +#include "../include/secp256k1.h" +#include "../include/secp256k1_preallocated.h" #include "assumptions.h" #include "util.h" -#include "num_impl.h" #include "field_impl.h" #include "scalar_impl.h" #include "group_impl.h" @@ -23,6 +24,10 @@ #include "scratch_impl.h" #include "selftest.h" +#ifdef SECP256K1_NO_BUILD +# error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c" +#endif + #if defined(VALGRIND) #include #endif @@ -39,10 +44,10 @@ #ifdef ENABLE_MODULE_ECDSA_S2C #include "include/secp256k1_ecdsa_s2c.h" -static void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_5_0_ge* ge); +static void rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_6_0_ge* ge); #else -typedef void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening; -static void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_5_0_ge* ge) { +typedef void rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening; +static void rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_6_0_ge* ge) { (void) opening; (void) ge; VERIFY_CHECK(0); @@ -51,69 +56,69 @@ static void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_5 #define ARG_CHECK(cond) do { \ if (EXPECT(!(cond), 0)) { \ - rustsecp256k1zkp_v0_5_0_callback_call(&ctx->illegal_callback, #cond); \ + rustsecp256k1zkp_v0_6_0_callback_call(&ctx->illegal_callback, #cond); \ return 0; \ } \ } while(0) #define ARG_CHECK_NO_RETURN(cond) do { \ if (EXPECT(!(cond), 0)) { \ - rustsecp256k1zkp_v0_5_0_callback_call(&ctx->illegal_callback, #cond); \ + rustsecp256k1zkp_v0_6_0_callback_call(&ctx->illegal_callback, #cond); \ } \ } while(0) #ifndef USE_EXTERNAL_DEFAULT_CALLBACKS #include #include -static void rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn(const char* str, void* data) { +static void rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn(const char* str, void* data) { (void)data; fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); abort(); } -static void rustsecp256k1zkp_v0_5_0_default_error_callback_fn(const char* str, void* data) { +static void rustsecp256k1zkp_v0_6_0_default_error_callback_fn(const char* str, void* data) { (void)data; fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); abort(); } #else -void rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn(const char* str, void* data); -void rustsecp256k1zkp_v0_5_0_default_error_callback_fn(const char* str, void* data); +void rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn(const char* str, void* data); +void rustsecp256k1zkp_v0_6_0_default_error_callback_fn(const char* str, void* data); #endif -static const rustsecp256k1zkp_v0_5_0_callback default_illegal_callback = { - rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn, +static const rustsecp256k1zkp_v0_6_0_callback default_illegal_callback = { + rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn, NULL }; -static const rustsecp256k1zkp_v0_5_0_callback default_error_callback = { - rustsecp256k1zkp_v0_5_0_default_error_callback_fn, +static const rustsecp256k1zkp_v0_6_0_callback default_error_callback = { + rustsecp256k1zkp_v0_6_0_default_error_callback_fn, NULL }; -struct rustsecp256k1zkp_v0_5_0_context_struct { - rustsecp256k1zkp_v0_5_0_ecmult_context ecmult_ctx; - rustsecp256k1zkp_v0_5_0_ecmult_gen_context ecmult_gen_ctx; - rustsecp256k1zkp_v0_5_0_callback illegal_callback; - rustsecp256k1zkp_v0_5_0_callback error_callback; +struct rustsecp256k1zkp_v0_6_0_context_struct { + rustsecp256k1zkp_v0_6_0_ecmult_context ecmult_ctx; + rustsecp256k1zkp_v0_6_0_ecmult_gen_context ecmult_gen_ctx; + rustsecp256k1zkp_v0_6_0_callback illegal_callback; + rustsecp256k1zkp_v0_6_0_callback error_callback; int declassify; }; -static const rustsecp256k1zkp_v0_5_0_context rustsecp256k1zkp_v0_5_0_context_no_precomp_ = { +static const rustsecp256k1zkp_v0_6_0_context rustsecp256k1zkp_v0_6_0_context_no_precomp_ = { { 0 }, { 0 }, - { rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn, 0 }, - { rustsecp256k1zkp_v0_5_0_default_error_callback_fn, 0 }, + { rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn, 0 }, + { rustsecp256k1zkp_v0_6_0_default_error_callback_fn, 0 }, 0 }; -const rustsecp256k1zkp_v0_5_0_context *rustsecp256k1zkp_v0_5_0_context_no_precomp = &rustsecp256k1zkp_v0_5_0_context_no_precomp_; +const rustsecp256k1zkp_v0_6_0_context *rustsecp256k1zkp_v0_6_0_context_no_precomp = &rustsecp256k1zkp_v0_6_0_context_no_precomp_; -size_t rustsecp256k1zkp_v0_5_0_context_preallocated_size(unsigned int flags) { - size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_5_0_context)); +size_t rustsecp256k1zkp_v0_6_0_context_preallocated_size(unsigned int flags) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_6_0_context)); /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */ VERIFY_CHECK(ret != 0); if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { - rustsecp256k1zkp_v0_5_0_callback_call(&default_illegal_callback, + rustsecp256k1zkp_v0_6_0_callback_call(&default_illegal_callback, "Invalid flags"); return 0; } @@ -127,87 +132,87 @@ size_t rustsecp256k1zkp_v0_5_0_context_preallocated_size(unsigned int flags) { return ret; } -size_t rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(const rustsecp256k1zkp_v0_5_0_context* ctx) { - size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_5_0_context)); +size_t rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(const rustsecp256k1zkp_v0_6_0_context* ctx) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_6_0_context)); VERIFY_CHECK(ctx != NULL); - if (rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + if (rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; } - if (rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)) { + if (rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)) { ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; } return ret; } -rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_preallocated_create(void* prealloc, unsigned int flags) { +rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_preallocated_create(void* prealloc, unsigned int flags) { void* const base = prealloc; size_t prealloc_size; - rustsecp256k1zkp_v0_5_0_context* ret; + rustsecp256k1zkp_v0_6_0_context* ret; - if (!rustsecp256k1zkp_v0_5_0_selftest()) { - rustsecp256k1zkp_v0_5_0_callback_call(&default_error_callback, "self test failed"); + if (!rustsecp256k1zkp_v0_6_0_selftest()) { + rustsecp256k1zkp_v0_6_0_callback_call(&default_error_callback, "self test failed"); } - prealloc_size = rustsecp256k1zkp_v0_5_0_context_preallocated_size(flags); + prealloc_size = rustsecp256k1zkp_v0_6_0_context_preallocated_size(flags); if (prealloc_size == 0) { return NULL; } VERIFY_CHECK(prealloc != NULL); - ret = (rustsecp256k1zkp_v0_5_0_context*)manual_alloc(&prealloc, sizeof(rustsecp256k1zkp_v0_5_0_context), base, prealloc_size); + ret = (rustsecp256k1zkp_v0_6_0_context*)manual_alloc(&prealloc, sizeof(rustsecp256k1zkp_v0_6_0_context), base, prealloc_size); ret->illegal_callback = default_illegal_callback; ret->error_callback = default_error_callback; - rustsecp256k1zkp_v0_5_0_ecmult_context_init(&ret->ecmult_ctx); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_init(&ret->ecmult_gen_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_context_init(&ret->ecmult_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_init(&ret->ecmult_gen_ctx); - /* Flags have been checked by rustsecp256k1zkp_v0_5_0_context_preallocated_size. */ + /* Flags have been checked by rustsecp256k1zkp_v0_6_0_context_preallocated_size. */ VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT); if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc); } if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { - rustsecp256k1zkp_v0_5_0_ecmult_context_build(&ret->ecmult_ctx, &prealloc); + rustsecp256k1zkp_v0_6_0_ecmult_context_build(&ret->ecmult_ctx, &prealloc); } ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY); - return (rustsecp256k1zkp_v0_5_0_context*) ret; + return (rustsecp256k1zkp_v0_6_0_context*) ret; } -rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_preallocated_clone(const rustsecp256k1zkp_v0_5_0_context* ctx, void* prealloc) { +rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_preallocated_clone(const rustsecp256k1zkp_v0_6_0_context* ctx, void* prealloc) { size_t prealloc_size; - rustsecp256k1zkp_v0_5_0_context* ret; + rustsecp256k1zkp_v0_6_0_context* ret; VERIFY_CHECK(ctx != NULL); ARG_CHECK(prealloc != NULL); - prealloc_size = rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(ctx); - ret = (rustsecp256k1zkp_v0_5_0_context*)prealloc; + prealloc_size = rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(ctx); + ret = (rustsecp256k1zkp_v0_6_0_context*)prealloc; memcpy(ret, ctx, prealloc_size); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx); - rustsecp256k1zkp_v0_5_0_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx); return ret; } -void rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(rustsecp256k1zkp_v0_5_0_context* ctx) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_5_0_context_no_precomp); +void rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(rustsecp256k1zkp_v0_6_0_context* ctx) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_6_0_context_no_precomp); if (ctx != NULL) { - rustsecp256k1zkp_v0_5_0_ecmult_context_clear(&ctx->ecmult_ctx); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_context_clear(&ctx->ecmult_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); } } -void rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(rustsecp256k1zkp_v0_5_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_5_0_context_no_precomp); +void rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_6_0_context_no_precomp); if (fun == NULL) { - fun = rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn; + fun = rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn; } ctx->illegal_callback.fn = fun; ctx->illegal_callback.data = data; } -void rustsecp256k1zkp_v0_5_0_context_set_error_callback(rustsecp256k1zkp_v0_5_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_5_0_context_no_precomp); +void rustsecp256k1zkp_v0_6_0_context_set_error_callback(rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_6_0_context_no_precomp); if (fun == NULL) { - fun = rustsecp256k1zkp_v0_5_0_default_error_callback_fn; + fun = rustsecp256k1zkp_v0_6_0_default_error_callback_fn; } ctx->error_callback.fn = fun; ctx->error_callback.data = data; @@ -217,7 +222,7 @@ void rustsecp256k1zkp_v0_5_0_context_set_error_callback(rustsecp256k1zkp_v0_5_0_ * of the software. This is setup for use with valgrind but could be substituted with * the appropriate instrumentation for other analysis tools. */ -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_declassify(const rustsecp256k1zkp_v0_5_0_context* ctx, const void *p, size_t len) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_declassify(const rustsecp256k1zkp_v0_6_0_context* ctx, const void *p, size_t len) { #if defined(VALGRIND) if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len); #else @@ -227,59 +232,59 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_declassify(const rustsecp25 #endif } -static int rustsecp256k1zkp_v0_5_0_pubkey_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ge* ge, const rustsecp256k1zkp_v0_5_0_pubkey* pubkey) { - if (sizeof(rustsecp256k1zkp_v0_5_0_ge_storage) == 64) { - /* When the rustsecp256k1zkp_v0_5_0_ge_storage type is exactly 64 byte, use its - * representation inside rustsecp256k1zkp_v0_5_0_pubkey, as conversion is very fast. - * Note that rustsecp256k1zkp_v0_5_0_pubkey_save must use the same representation. */ - rustsecp256k1zkp_v0_5_0_ge_storage s; +static int rustsecp256k1zkp_v0_6_0_pubkey_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ge* ge, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey) { + if (sizeof(rustsecp256k1zkp_v0_6_0_ge_storage) == 64) { + /* When the rustsecp256k1zkp_v0_6_0_ge_storage type is exactly 64 byte, use its + * representation inside rustsecp256k1zkp_v0_6_0_pubkey, as conversion is very fast. + * Note that rustsecp256k1zkp_v0_6_0_pubkey_save must use the same representation. */ + rustsecp256k1zkp_v0_6_0_ge_storage s; memcpy(&s, &pubkey->data[0], sizeof(s)); - rustsecp256k1zkp_v0_5_0_ge_from_storage(ge, &s); + rustsecp256k1zkp_v0_6_0_ge_from_storage(ge, &s); } else { /* Otherwise, fall back to 32-byte big endian for X and Y. */ - rustsecp256k1zkp_v0_5_0_fe x, y; - rustsecp256k1zkp_v0_5_0_fe_set_b32(&x, pubkey->data); - rustsecp256k1zkp_v0_5_0_fe_set_b32(&y, pubkey->data + 32); - rustsecp256k1zkp_v0_5_0_ge_set_xy(ge, &x, &y); + rustsecp256k1zkp_v0_6_0_fe x, y; + rustsecp256k1zkp_v0_6_0_fe_set_b32(&x, pubkey->data); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&y, pubkey->data + 32); + rustsecp256k1zkp_v0_6_0_ge_set_xy(ge, &x, &y); } - ARG_CHECK(!rustsecp256k1zkp_v0_5_0_fe_is_zero(&ge->x)); + ARG_CHECK(!rustsecp256k1zkp_v0_6_0_fe_is_zero(&ge->x)); return 1; } -static void rustsecp256k1zkp_v0_5_0_pubkey_save(rustsecp256k1zkp_v0_5_0_pubkey* pubkey, rustsecp256k1zkp_v0_5_0_ge* ge) { - if (sizeof(rustsecp256k1zkp_v0_5_0_ge_storage) == 64) { - rustsecp256k1zkp_v0_5_0_ge_storage s; - rustsecp256k1zkp_v0_5_0_ge_to_storage(&s, ge); +static void rustsecp256k1zkp_v0_6_0_pubkey_save(rustsecp256k1zkp_v0_6_0_pubkey* pubkey, rustsecp256k1zkp_v0_6_0_ge* ge) { + if (sizeof(rustsecp256k1zkp_v0_6_0_ge_storage) == 64) { + rustsecp256k1zkp_v0_6_0_ge_storage s; + rustsecp256k1zkp_v0_6_0_ge_to_storage(&s, ge); memcpy(&pubkey->data[0], &s, sizeof(s)); } else { - VERIFY_CHECK(!rustsecp256k1zkp_v0_5_0_ge_is_infinity(ge)); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge->x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge->y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(pubkey->data, &ge->x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(pubkey->data + 32, &ge->y); + VERIFY_CHECK(!rustsecp256k1zkp_v0_6_0_ge_is_infinity(ge)); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge->x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge->y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(pubkey->data, &ge->x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(pubkey->data + 32, &ge->y); } } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey* pubkey, const unsigned char *input, size_t inputlen) { - rustsecp256k1zkp_v0_5_0_ge Q; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey* pubkey, const unsigned char *input, size_t inputlen) { + rustsecp256k1zkp_v0_6_0_ge Q; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); ARG_CHECK(input != NULL); - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&Q, input, inputlen)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&Q, input, inputlen)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_ge_is_in_correct_subgroup(&Q)) { + if (!rustsecp256k1zkp_v0_6_0_ge_is_in_correct_subgroup(&Q)) { return 0; } - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &Q); - rustsecp256k1zkp_v0_5_0_ge_clear(&Q); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &Q); + rustsecp256k1zkp_v0_6_0_ge_clear(&Q); return 1; } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_5_0_pubkey* pubkey, unsigned int flags) { - rustsecp256k1zkp_v0_5_0_ge Q; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey, unsigned int flags) { + rustsecp256k1zkp_v0_6_0_ge Q; size_t len; int ret = 0; @@ -292,8 +297,8 @@ int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_5_0_co memset(output, 0, len); ARG_CHECK(pubkey != NULL); ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); - if (rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &Q, pubkey)) { - ret = rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); + if (rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &Q, pubkey)) { + ret = rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); if (ret) { *outputlen = len; } @@ -301,39 +306,65 @@ int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_5_0_co return ret; } -static void rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar* r, rustsecp256k1zkp_v0_5_0_scalar* s, const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig) { +int rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey0, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey1) { + unsigned char out[2][33]; + const rustsecp256k1zkp_v0_6_0_pubkey* pk[2]; + int i; + + VERIFY_CHECK(ctx != NULL); + pk[0] = pubkey0; pk[1] = pubkey1; + for (i = 0; i < 2; i++) { + size_t out_size = sizeof(out[i]); + /* If the public key is NULL or invalid, ec_pubkey_serialize will call + * the illegal_callback and return 0. In that case we will serialize the + * key as all zeros which is less than any valid public key. This + * results in consistent comparisons even if NULL or invalid pubkeys are + * involved and prevents edge cases such as sorting algorithms that use + * this function and do not terminate as a result. */ + if (!rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) { + /* Note that ec_pubkey_serialize should already set the output to + * zero in that case, but it's not guaranteed by the API, we can't + * test it and writing a VERIFY_CHECK is more complex than + * explicitly memsetting (again). */ + memset(out[i], 0, sizeof(out[i])); + } + } + return rustsecp256k1zkp_v0_6_0_memcmp_var(out[0], out[1], sizeof(out[0])); +} + +static void rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar* r, rustsecp256k1zkp_v0_6_0_scalar* s, const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig) { (void)ctx; - if (sizeof(rustsecp256k1zkp_v0_5_0_scalar) == 32) { - /* When the rustsecp256k1zkp_v0_5_0_scalar type is exactly 32 byte, use its - * representation inside rustsecp256k1zkp_v0_5_0_ecdsa_signature, as conversion is very fast. - * Note that rustsecp256k1zkp_v0_5_0_ecdsa_signature_save must use the same representation. */ + if (sizeof(rustsecp256k1zkp_v0_6_0_scalar) == 32) { + /* When the rustsecp256k1zkp_v0_6_0_scalar type is exactly 32 byte, use its + * representation inside rustsecp256k1zkp_v0_6_0_ecdsa_signature, as conversion is very fast. + * Note that rustsecp256k1zkp_v0_6_0_ecdsa_signature_save must use the same representation. */ memcpy(r, &sig->data[0], 32); memcpy(s, &sig->data[32], 32); } else { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, &sig->data[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(s, &sig->data[32], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(r, &sig->data[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(s, &sig->data[32], NULL); } } -static void rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const rustsecp256k1zkp_v0_5_0_scalar* r, const rustsecp256k1zkp_v0_5_0_scalar* s) { - if (sizeof(rustsecp256k1zkp_v0_5_0_scalar) == 32) { +static void rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const rustsecp256k1zkp_v0_6_0_scalar* r, const rustsecp256k1zkp_v0_6_0_scalar* s) { + if (sizeof(rustsecp256k1zkp_v0_6_0_scalar) == 32) { memcpy(&sig->data[0], r, 32); memcpy(&sig->data[32], s, 32); } else { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig->data[0], r); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig->data[32], s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig->data[0], r); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig->data[32], s); } } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { + rustsecp256k1zkp_v0_6_0_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(input != NULL); - if (rustsecp256k1zkp_v0_5_0_ecdsa_sig_parse(&r, &s, input, inputlen)) { - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sig, &r, &s); + if (rustsecp256k1zkp_v0_6_0_ecdsa_sig_parse(&r, &s, input, inputlen)) { + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sig, &r, &s); return 1; } else { memset(sig, 0, sizeof(*sig)); @@ -341,8 +372,8 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(const rustsecp256k1zkp_v0_ } } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const unsigned char *input64) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input64) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret = 1; int overflow = 0; @@ -350,77 +381,77 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(const rustsecp256k1zkp ARG_CHECK(sig != NULL); ARG_CHECK(input64 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&r, &input64[0], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&r, &input64[0], &overflow); ret &= !overflow; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, &input64[32], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, &input64[32], &overflow); ret &= !overflow; if (ret) { - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sig, &r, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sig, &r, &s); } else { memset(sig, 0, sizeof(*sig)); } return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig) { + rustsecp256k1zkp_v0_6_0_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output != NULL); ARG_CHECK(outputlen != NULL); ARG_CHECK(sig != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sig); - return rustsecp256k1zkp_v0_5_0_ecdsa_sig_serialize(output, outputlen, &r, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sig); + return rustsecp256k1zkp_v0_6_0_ecdsa_sig_serialize(output, outputlen, &r, &s); } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output64, const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output64, const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig) { + rustsecp256k1zkp_v0_6_0_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output64 != NULL); ARG_CHECK(sig != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sig); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&output64[0], &r); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&output64[32], &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sig); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&output64[0], &r); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&output64[32], &s); return 1; } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigout, const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigin) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigout, const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigin) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(sigin != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sigin); - ret = rustsecp256k1zkp_v0_5_0_scalar_is_high(&s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sigin); + ret = rustsecp256k1zkp_v0_6_0_scalar_is_high(&s); if (sigout != NULL) { if (ret) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, &s); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, &s); } - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sigout, &r, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sigout, &r, &s); } return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, const unsigned char *msghash32, const rustsecp256k1zkp_v0_5_0_pubkey *pubkey) { - rustsecp256k1zkp_v0_5_0_ge q; - rustsecp256k1zkp_v0_5_0_scalar r, s; - rustsecp256k1zkp_v0_5_0_scalar m; +int rustsecp256k1zkp_v0_6_0_ecdsa_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msghash32, const rustsecp256k1zkp_v0_6_0_pubkey *pubkey) { + rustsecp256k1zkp_v0_6_0_ge q; + rustsecp256k1zkp_v0_6_0_scalar r, s; + rustsecp256k1zkp_v0_6_0_scalar m; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(msghash32 != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(pubkey != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&m, msghash32, NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sig); - return (!rustsecp256k1zkp_v0_5_0_scalar_is_high(&s) && - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &q, pubkey) && - rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&m, msghash32, NULL); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sig); + return (!rustsecp256k1zkp_v0_6_0_scalar_is_high(&s) && + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &q, pubkey) && + rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); } static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) { @@ -431,7 +462,7 @@ static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *off static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { unsigned char keydata[112]; unsigned int offset = 0; - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 rng; + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 rng; unsigned int i; /* We feed a byte array to the PRNG as input, consisting of: * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. @@ -449,80 +480,80 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m if (algo16 != NULL) { buffer_append(keydata, &offset, algo16, 16); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); memset(keydata, 0, sizeof(keydata)); for (i = 0; i <= counter; i++) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(&rng); return 1; } -const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_rfc6979 = nonce_function_rfc6979; -const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_default = nonce_function_rfc6979; +const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_rfc6979 = nonce_function_rfc6979; +const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_default = nonce_function_rfc6979; -static int rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar* r, rustsecp256k1zkp_v0_5_0_scalar* s, int* recid, rustsecp256k1zkp_v0_5_0_sha256* s2c_sha, rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening *s2c_opening, const unsigned char* s2c_data32, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1zkp_v0_5_0_nonce_function noncefp, const void* noncedata) { - rustsecp256k1zkp_v0_5_0_scalar sec, non, msg; +static int rustsecp256k1zkp_v0_6_0_ecdsa_sign_inner(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar* r, rustsecp256k1zkp_v0_6_0_scalar* s, int* recid, rustsecp256k1zkp_v0_6_0_sha256* s2c_sha, rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening *s2c_opening, const unsigned char* s2c_data32, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void* noncedata) { + rustsecp256k1zkp_v0_6_0_scalar sec, non, msg; int ret = 0; int is_sec_valid; unsigned char nonce32[32]; unsigned int count = 0; /* Default initialization here is important so we won't pass uninit values to the cmov in the end */ - *r = rustsecp256k1zkp_v0_5_0_scalar_zero; - *s = rustsecp256k1zkp_v0_5_0_scalar_zero; + *r = rustsecp256k1zkp_v0_6_0_scalar_zero; + *s = rustsecp256k1zkp_v0_6_0_scalar_zero; if (recid) { *recid = 0; } if (noncefp == NULL) { - noncefp = rustsecp256k1zkp_v0_5_0_nonce_function_default; + noncefp = rustsecp256k1zkp_v0_6_0_nonce_function_default; } /* sign-to-contract commitments only work with the default nonce function, * because we need to ensure that s2c_data is actually hashed into the nonce and * not just ignored. Otherwise an attacker can exfiltrate the secret key by * signing the same message thrice with different commitments. */ - VERIFY_CHECK(s2c_data32 == NULL || noncefp == rustsecp256k1zkp_v0_5_0_nonce_function_default); + VERIFY_CHECK(s2c_data32 == NULL || noncefp == rustsecp256k1zkp_v0_6_0_nonce_function_default); /* Fail if the secret key is invalid. */ - is_sec_valid = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_one, !is_sec_valid); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&msg, msg32, NULL); + is_sec_valid = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_one, !is_sec_valid); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&msg, msg32, NULL); while (1) { int is_nonce_valid; ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); if (!ret) { break; } - is_nonce_valid = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&non, nonce32); + is_nonce_valid = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&non, nonce32); /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); if (is_nonce_valid) { if (s2c_data32 != NULL) { - rustsecp256k1zkp_v0_5_0_gej nonce_pj; - rustsecp256k1zkp_v0_5_0_ge nonce_p; + rustsecp256k1zkp_v0_6_0_gej nonce_pj; + rustsecp256k1zkp_v0_6_0_ge nonce_p; /* Compute original nonce commitment/pubkey */ - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_pj, &non); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&nonce_p, &nonce_pj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_pj, &non); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&nonce_p, &nonce_pj); if (s2c_opening != NULL) { - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(s2c_opening, &nonce_p); + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(s2c_opening, &nonce_p); } /* Because the nonce is valid, the nonce point isn't the point * at infinity and we can declassify that information to be able to * serialize the point. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &nonce_p.infinity, sizeof(nonce_p.infinity)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &nonce_p.infinity, sizeof(nonce_p.infinity)); /* Tweak nonce with s2c commitment. */ - ret = rustsecp256k1zkp_v0_5_0_ec_commit_seckey(&non, &nonce_p, s2c_sha, s2c_data32, 32); - rustsecp256k1zkp_v0_5_0_declassify(ctx, &ret, sizeof(ret)); /* may be secret that the tweak falied, but happens with negligible probability */ + ret = rustsecp256k1zkp_v0_6_0_ec_commit_seckey(&non, &nonce_p, s2c_sha, s2c_data32, 32); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &ret, sizeof(ret)); /* may be secret that the tweak falied, but happens with negligible probability */ if (!ret) { break; } } - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid); /* The final signature is no longer a secret, nor is the fact that we were successful or not. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &ret, sizeof(ret)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &ret, sizeof(ret)); if (ret) { break; } @@ -534,204 +565,204 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(const rustsecp256k1zkp_v0_5_ * used as a branching variable. */ ret &= is_sec_valid; memset(nonce32, 0, 32); - rustsecp256k1zkp_v0_5_0_scalar_clear(&msg); - rustsecp256k1zkp_v0_5_0_scalar_clear(&non); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); - rustsecp256k1zkp_v0_5_0_scalar_cmov(r, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_cmov(s, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&msg); + rustsecp256k1zkp_v0_6_0_scalar_clear(&non); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_cmov(r, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_cmov(s, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); if (recid) { const int zero = 0; - rustsecp256k1zkp_v0_5_0_int_cmov(recid, &zero, !ret); + rustsecp256k1zkp_v0_6_0_int_cmov(recid, &zero, !ret); } return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, rustsecp256k1zkp_v0_5_0_nonce_function noncefp, const void* noncedata) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void* noncedata) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(msghash32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(ctx, &r, &s, NULL, NULL, NULL, NULL, msghash32, seckey, noncefp, noncedata); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(signature, &r, &s); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sign_inner(ctx, &r, &s, NULL, NULL, NULL, NULL, msghash32, seckey, noncefp, noncedata); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(signature, &r, &s); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_scalar sec; int ret; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } -static int rustsecp256k1zkp_v0_5_0_ec_pubkey_create_helper(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_5_0_scalar *seckey_scalar, rustsecp256k1zkp_v0_5_0_ge *p, const unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_gej pj; +static int rustsecp256k1zkp_v0_6_0_ec_pubkey_create_helper(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_6_0_scalar *seckey_scalar, rustsecp256k1zkp_v0_6_0_ge *p, const unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_gej pj; int ret; - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(seckey_scalar, seckey); - rustsecp256k1zkp_v0_5_0_scalar_cmov(seckey_scalar, &rustsecp256k1zkp_v0_5_0_scalar_one, !ret); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(seckey_scalar, seckey); + rustsecp256k1zkp_v0_6_0_scalar_cmov(seckey_scalar, &rustsecp256k1zkp_v0_6_0_scalar_one, !ret); - rustsecp256k1zkp_v0_5_0_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar); - rustsecp256k1zkp_v0_5_0_ge_set_gej(p, &pj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar); + rustsecp256k1zkp_v0_6_0_ge_set_gej(p, &pj); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_create(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_ge p; - rustsecp256k1zkp_v0_5_0_scalar seckey_scalar; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_create(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_ge p; + rustsecp256k1zkp_v0_6_0_scalar seckey_scalar; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey); - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); - rustsecp256k1zkp_v0_5_0_memczero(pubkey, sizeof(*pubkey), !ret); + ret = rustsecp256k1zkp_v0_6_0_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); + rustsecp256k1zkp_v0_6_0_memczero(pubkey, sizeof(*pubkey), !ret); - rustsecp256k1zkp_v0_5_0_scalar_clear(&seckey_scalar); + rustsecp256k1zkp_v0_6_0_scalar_clear(&seckey_scalar); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_negate(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_negate(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_scalar sec; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_negate(&sec, &sec); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &sec); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_negate(&sec, &sec); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_privkey_negate(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey) { - return rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, seckey); +int rustsecp256k1zkp_v0_6_0_ec_privkey_negate(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey) { + return rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, seckey); } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey) { +int rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey) { int ret = 0; - rustsecp256k1zkp_v0_5_0_ge p; + rustsecp256k1zkp_v0_6_0_ge p; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); - ret = rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &p, pubkey); + ret = rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); if (ret) { - rustsecp256k1zkp_v0_5_0_ge_neg(&p, &p); - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); + rustsecp256k1zkp_v0_6_0_ge_neg(&p, &p); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); } return ret; } -static int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_5_0_scalar *sec, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar term; +static int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_6_0_scalar *sec, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar term; int overflow = 0; int ret = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&term, tweak32, &overflow); - ret = (!overflow) & rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_add(sec, &term); - rustsecp256k1zkp_v0_5_0_scalar_clear(&term); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&term, tweak32, &overflow); + ret = (!overflow) & rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_add(sec, &term); + rustsecp256k1zkp_v0_6_0_scalar_clear(&term); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar sec; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); ARG_CHECK(tweak32 != NULL); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - ret &= rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(&sec, tweak32); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &sec); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + ret &= rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(&sec, tweak32); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - return rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, seckey, tweak32); +int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + return rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, seckey, tweak32); } -static int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_ge *p, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar term; +static int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_ge *p, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar term; int overflow = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&term, tweak32, &overflow); - return !overflow && rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_add(ecmult_ctx, p, &term); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&term, tweak32, &overflow); + return !overflow && rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_add(ecmult_ctx, p, &term); } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge p; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge p; int ret = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(pubkey != NULL); ARG_CHECK(tweak32 != NULL); - ret = rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &p, pubkey); + ret = rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); - ret = ret && rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32); + ret = ret && rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32); if (ret) { - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); } return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar factor; - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar factor; + rustsecp256k1zkp_v0_6_0_scalar sec; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); ARG_CHECK(tweak32 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&factor, tweak32, &overflow); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - ret &= (!overflow) & rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_mul(&sec, &factor); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &sec); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&factor, tweak32, &overflow); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + ret &= (!overflow) & rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_mul(&sec, &factor); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&factor); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&factor); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - return rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, seckey, tweak32); +int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_mul(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + return rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, seckey, tweak32); } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge p; - rustsecp256k1zkp_v0_5_0_scalar factor; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge p; + rustsecp256k1zkp_v0_6_0_scalar factor; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(pubkey != NULL); ARG_CHECK(tweak32 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&factor, tweak32, &overflow); - ret = !overflow && rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &p, pubkey); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&factor, tweak32, &overflow); + ret = !overflow && rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); if (ret) { - if (rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); + if (rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); } else { ret = 0; } @@ -740,35 +771,35 @@ int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_co return ret; } -int rustsecp256k1zkp_v0_5_0_context_randomize(rustsecp256k1zkp_v0_5_0_context* ctx, const unsigned char *seed32) { +int rustsecp256k1zkp_v0_6_0_context_randomize(rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seed32) { VERIFY_CHECK(ctx != NULL); - if (rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { - rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); + if (rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); } return 1; } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubnonce, const rustsecp256k1zkp_v0_5_0_pubkey * const *pubnonces, size_t n) { +int rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubnonce, const rustsecp256k1zkp_v0_6_0_pubkey * const *pubnonces, size_t n) { size_t i; - rustsecp256k1zkp_v0_5_0_gej Qj; - rustsecp256k1zkp_v0_5_0_ge Q; + rustsecp256k1zkp_v0_6_0_gej Qj; + rustsecp256k1zkp_v0_6_0_ge Q; ARG_CHECK(pubnonce != NULL); memset(pubnonce, 0, sizeof(*pubnonce)); ARG_CHECK(n >= 1); ARG_CHECK(pubnonces != NULL); - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&Qj); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&Qj); for (i = 0; i < n; i++) { - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &Q, pubnonces[i]); - rustsecp256k1zkp_v0_5_0_gej_add_ge(&Qj, &Qj, &Q); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &Q, pubnonces[i]); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&Qj, &Qj, &Q); } - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&Qj)) { + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&Qj)) { return 0; } - rustsecp256k1zkp_v0_5_0_ge_set_gej(&Q, &Qj); - rustsecp256k1zkp_v0_5_0_pubkey_save(pubnonce, &Q); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&Q, &Qj); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubnonce, &Q); return 1; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c.orig b/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c.orig index 91115d51..8eaa266c 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c.orig +++ b/secp256k1-zkp-sys/depend/secp256k1/src/secp256k1.c.orig @@ -4,12 +4,13 @@ * file COPYING or https://www.opensource.org/licenses/mit-license.php.* ***********************************************************************/ -#include "include/secp256k1.h" -#include "include/secp256k1_preallocated.h" +#define SECP256K1_BUILD + +#include "../include/secp256k1.h" +#include "../include/secp256k1_preallocated.h" #include "assumptions.h" #include "util.h" -#include "num_impl.h" #include "field_impl.h" #include "scalar_impl.h" #include "group_impl.h" @@ -23,6 +24,10 @@ #include "scratch_impl.h" #include "selftest.h" +#ifdef SECP256K1_NO_BUILD +# error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c" +#endif + #if defined(VALGRIND) #include #endif @@ -39,10 +44,10 @@ #ifdef ENABLE_MODULE_ECDSA_S2C #include "include/secp256k1_ecdsa_s2c.h" -static void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_5_0_ge* ge); +static void rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_6_0_ge* ge); #else -typedef void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening; -static void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_5_0_ge* ge) { +typedef void rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening; +static void rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening* opening, rustsecp256k1zkp_v0_6_0_ge* ge) { (void) opening; (void) ge; VERIFY_CHECK(0); @@ -51,69 +56,69 @@ static void rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(rustsecp256k1zkp_v0_5 #define ARG_CHECK(cond) do { \ if (EXPECT(!(cond), 0)) { \ - rustsecp256k1zkp_v0_5_0_callback_call(&ctx->illegal_callback, #cond); \ + rustsecp256k1zkp_v0_6_0_callback_call(&ctx->illegal_callback, #cond); \ return 0; \ } \ } while(0) #define ARG_CHECK_NO_RETURN(cond) do { \ if (EXPECT(!(cond), 0)) { \ - rustsecp256k1zkp_v0_5_0_callback_call(&ctx->illegal_callback, #cond); \ + rustsecp256k1zkp_v0_6_0_callback_call(&ctx->illegal_callback, #cond); \ } \ } while(0) #ifndef USE_EXTERNAL_DEFAULT_CALLBACKS #include #include -static void rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn(const char* str, void* data) { +static void rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn(const char* str, void* data) { (void)data; fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); abort(); } -static void rustsecp256k1zkp_v0_5_0_default_error_callback_fn(const char* str, void* data) { +static void rustsecp256k1zkp_v0_6_0_default_error_callback_fn(const char* str, void* data) { (void)data; fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); abort(); } #else -void rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn(const char* str, void* data); -void rustsecp256k1zkp_v0_5_0_default_error_callback_fn(const char* str, void* data); +void rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn(const char* str, void* data); +void rustsecp256k1zkp_v0_6_0_default_error_callback_fn(const char* str, void* data); #endif -static const rustsecp256k1zkp_v0_5_0_callback default_illegal_callback = { - rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn, +static const rustsecp256k1zkp_v0_6_0_callback default_illegal_callback = { + rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn, NULL }; -static const rustsecp256k1zkp_v0_5_0_callback default_error_callback = { - rustsecp256k1zkp_v0_5_0_default_error_callback_fn, +static const rustsecp256k1zkp_v0_6_0_callback default_error_callback = { + rustsecp256k1zkp_v0_6_0_default_error_callback_fn, NULL }; -struct rustsecp256k1zkp_v0_5_0_context_struct { - rustsecp256k1zkp_v0_5_0_ecmult_context ecmult_ctx; - rustsecp256k1zkp_v0_5_0_ecmult_gen_context ecmult_gen_ctx; - rustsecp256k1zkp_v0_5_0_callback illegal_callback; - rustsecp256k1zkp_v0_5_0_callback error_callback; +struct rustsecp256k1zkp_v0_6_0_context_struct { + rustsecp256k1zkp_v0_6_0_ecmult_context ecmult_ctx; + rustsecp256k1zkp_v0_6_0_ecmult_gen_context ecmult_gen_ctx; + rustsecp256k1zkp_v0_6_0_callback illegal_callback; + rustsecp256k1zkp_v0_6_0_callback error_callback; int declassify; }; -static const rustsecp256k1zkp_v0_5_0_context rustsecp256k1zkp_v0_5_0_context_no_precomp_ = { +static const rustsecp256k1zkp_v0_6_0_context rustsecp256k1zkp_v0_6_0_context_no_precomp_ = { { 0 }, { 0 }, - { rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn, 0 }, - { rustsecp256k1zkp_v0_5_0_default_error_callback_fn, 0 }, + { rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn, 0 }, + { rustsecp256k1zkp_v0_6_0_default_error_callback_fn, 0 }, 0 }; -const rustsecp256k1zkp_v0_5_0_context *rustsecp256k1zkp_v0_5_0_context_no_precomp = &rustsecp256k1zkp_v0_5_0_context_no_precomp_; +const rustsecp256k1zkp_v0_6_0_context *rustsecp256k1zkp_v0_6_0_context_no_precomp = &rustsecp256k1zkp_v0_6_0_context_no_precomp_; -size_t rustsecp256k1zkp_v0_5_0_context_preallocated_size(unsigned int flags) { - size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_5_0_context)); +size_t rustsecp256k1zkp_v0_6_0_context_preallocated_size(unsigned int flags) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_6_0_context)); /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */ VERIFY_CHECK(ret != 0); if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { - rustsecp256k1zkp_v0_5_0_callback_call(&default_illegal_callback, + rustsecp256k1zkp_v0_6_0_callback_call(&default_illegal_callback, "Invalid flags"); return 0; } @@ -127,56 +132,56 @@ size_t rustsecp256k1zkp_v0_5_0_context_preallocated_size(unsigned int flags) { return ret; } -size_t rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(const rustsecp256k1zkp_v0_5_0_context* ctx) { - size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_5_0_context)); +size_t rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(const rustsecp256k1zkp_v0_6_0_context* ctx) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1zkp_v0_6_0_context)); VERIFY_CHECK(ctx != NULL); - if (rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + if (rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; } - if (rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)) { + if (rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)) { ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; } return ret; } -rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_preallocated_create(void* prealloc, unsigned int flags) { +rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_preallocated_create(void* prealloc, unsigned int flags) { void* const base = prealloc; size_t prealloc_size; - rustsecp256k1zkp_v0_5_0_context* ret; + rustsecp256k1zkp_v0_6_0_context* ret; - if (!rustsecp256k1zkp_v0_5_0_selftest()) { - rustsecp256k1zkp_v0_5_0_callback_call(&default_error_callback, "self test failed"); + if (!rustsecp256k1zkp_v0_6_0_selftest()) { + rustsecp256k1zkp_v0_6_0_callback_call(&default_error_callback, "self test failed"); } - prealloc_size = rustsecp256k1zkp_v0_5_0_context_preallocated_size(flags); + prealloc_size = rustsecp256k1zkp_v0_6_0_context_preallocated_size(flags); if (prealloc_size == 0) { return NULL; } VERIFY_CHECK(prealloc != NULL); - ret = (rustsecp256k1zkp_v0_5_0_context*)manual_alloc(&prealloc, sizeof(rustsecp256k1zkp_v0_5_0_context), base, prealloc_size); + ret = (rustsecp256k1zkp_v0_6_0_context*)manual_alloc(&prealloc, sizeof(rustsecp256k1zkp_v0_6_0_context), base, prealloc_size); ret->illegal_callback = default_illegal_callback; ret->error_callback = default_error_callback; - rustsecp256k1zkp_v0_5_0_ecmult_context_init(&ret->ecmult_ctx); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_init(&ret->ecmult_gen_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_context_init(&ret->ecmult_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_init(&ret->ecmult_gen_ctx); - /* Flags have been checked by rustsecp256k1zkp_v0_5_0_context_preallocated_size. */ + /* Flags have been checked by rustsecp256k1zkp_v0_6_0_context_preallocated_size. */ VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT); if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc); } if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { - rustsecp256k1zkp_v0_5_0_ecmult_context_build(&ret->ecmult_ctx, &prealloc); + rustsecp256k1zkp_v0_6_0_ecmult_context_build(&ret->ecmult_ctx, &prealloc); } ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY); - return (rustsecp256k1zkp_v0_5_0_context*) ret; + return (rustsecp256k1zkp_v0_6_0_context*) ret; } -rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_create(unsigned int flags) { - size_t const prealloc_size = rustsecp256k1zkp_v0_5_0_context_preallocated_size(flags); - rustsecp256k1zkp_v0_5_0_context* ctx = (rustsecp256k1zkp_v0_5_0_context*)checked_malloc(&default_error_callback, prealloc_size); - if (EXPECT(rustsecp256k1zkp_v0_5_0_context_preallocated_create(ctx, flags) == NULL, 0)) { +rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_create(unsigned int flags) { + size_t const prealloc_size = rustsecp256k1zkp_v0_6_0_context_preallocated_size(flags); + rustsecp256k1zkp_v0_6_0_context* ctx = (rustsecp256k1zkp_v0_6_0_context*)checked_malloc(&default_error_callback, prealloc_size); + if (EXPECT(rustsecp256k1zkp_v0_6_0_context_preallocated_create(ctx, flags) == NULL, 0)) { free(ctx); return NULL; } @@ -184,79 +189,79 @@ rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_create(unsigned return ctx; } -rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_preallocated_clone(const rustsecp256k1zkp_v0_5_0_context* ctx, void* prealloc) { +rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_preallocated_clone(const rustsecp256k1zkp_v0_6_0_context* ctx, void* prealloc) { size_t prealloc_size; - rustsecp256k1zkp_v0_5_0_context* ret; + rustsecp256k1zkp_v0_6_0_context* ret; VERIFY_CHECK(ctx != NULL); ARG_CHECK(prealloc != NULL); - prealloc_size = rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(ctx); - ret = (rustsecp256k1zkp_v0_5_0_context*)prealloc; + prealloc_size = rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(ctx); + ret = (rustsecp256k1zkp_v0_6_0_context*)prealloc; memcpy(ret, ctx, prealloc_size); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx); - rustsecp256k1zkp_v0_5_0_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx); return ret; } -rustsecp256k1zkp_v0_5_0_context* rustsecp256k1zkp_v0_5_0_context_clone(const rustsecp256k1zkp_v0_5_0_context* ctx) { - rustsecp256k1zkp_v0_5_0_context* ret; +rustsecp256k1zkp_v0_6_0_context* rustsecp256k1zkp_v0_6_0_context_clone(const rustsecp256k1zkp_v0_6_0_context* ctx) { + rustsecp256k1zkp_v0_6_0_context* ret; size_t prealloc_size; VERIFY_CHECK(ctx != NULL); - prealloc_size = rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(ctx); - ret = (rustsecp256k1zkp_v0_5_0_context*)checked_malloc(&ctx->error_callback, prealloc_size); - ret = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(ctx, ret); + prealloc_size = rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(ctx); + ret = (rustsecp256k1zkp_v0_6_0_context*)checked_malloc(&ctx->error_callback, prealloc_size); + ret = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(ctx, ret); return ret; } -void rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(rustsecp256k1zkp_v0_5_0_context* ctx) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_5_0_context_no_precomp); +void rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(rustsecp256k1zkp_v0_6_0_context* ctx) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_6_0_context_no_precomp); if (ctx != NULL) { - rustsecp256k1zkp_v0_5_0_ecmult_context_clear(&ctx->ecmult_ctx); - rustsecp256k1zkp_v0_5_0_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_context_clear(&ctx->ecmult_ctx); + rustsecp256k1zkp_v0_6_0_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); } } -void rustsecp256k1zkp_v0_5_0_context_destroy(rustsecp256k1zkp_v0_5_0_context* ctx) { +void rustsecp256k1zkp_v0_6_0_context_destroy(rustsecp256k1zkp_v0_6_0_context* ctx) { if (ctx != NULL) { - rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx); + rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx); free(ctx); } } -void rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(rustsecp256k1zkp_v0_5_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_5_0_context_no_precomp); +void rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_6_0_context_no_precomp); if (fun == NULL) { - fun = rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn; + fun = rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn; } ctx->illegal_callback.fn = fun; ctx->illegal_callback.data = data; } -void rustsecp256k1zkp_v0_5_0_context_set_error_callback(rustsecp256k1zkp_v0_5_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_5_0_context_no_precomp); +void rustsecp256k1zkp_v0_6_0_context_set_error_callback(rustsecp256k1zkp_v0_6_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1zkp_v0_6_0_context_no_precomp); if (fun == NULL) { - fun = rustsecp256k1zkp_v0_5_0_default_error_callback_fn; + fun = rustsecp256k1zkp_v0_6_0_default_error_callback_fn; } ctx->error_callback.fn = fun; ctx->error_callback.data = data; } -rustsecp256k1zkp_v0_5_0_scratch_space* rustsecp256k1zkp_v0_5_0_scratch_space_create(const rustsecp256k1zkp_v0_5_0_context* ctx, size_t max_size) { +rustsecp256k1zkp_v0_6_0_scratch_space* rustsecp256k1zkp_v0_6_0_scratch_space_create(const rustsecp256k1zkp_v0_6_0_context* ctx, size_t max_size) { VERIFY_CHECK(ctx != NULL); - return rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, max_size); + return rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, max_size); } -void rustsecp256k1zkp_v0_5_0_scratch_space_destroy(const rustsecp256k1zkp_v0_5_0_context *ctx, rustsecp256k1zkp_v0_5_0_scratch_space* scratch) { +void rustsecp256k1zkp_v0_6_0_scratch_space_destroy(const rustsecp256k1zkp_v0_6_0_context *ctx, rustsecp256k1zkp_v0_6_0_scratch_space* scratch) { VERIFY_CHECK(ctx != NULL); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); } /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour * of the software. This is setup for use with valgrind but could be substituted with * the appropriate instrumentation for other analysis tools. */ -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_declassify(const rustsecp256k1zkp_v0_5_0_context* ctx, const void *p, size_t len) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_declassify(const rustsecp256k1zkp_v0_6_0_context* ctx, const void *p, size_t len) { #if defined(VALGRIND) if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len); #else @@ -266,59 +271,59 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_declassify(const rustsecp25 #endif } -static int rustsecp256k1zkp_v0_5_0_pubkey_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ge* ge, const rustsecp256k1zkp_v0_5_0_pubkey* pubkey) { - if (sizeof(rustsecp256k1zkp_v0_5_0_ge_storage) == 64) { - /* When the rustsecp256k1zkp_v0_5_0_ge_storage type is exactly 64 byte, use its - * representation inside rustsecp256k1zkp_v0_5_0_pubkey, as conversion is very fast. - * Note that rustsecp256k1zkp_v0_5_0_pubkey_save must use the same representation. */ - rustsecp256k1zkp_v0_5_0_ge_storage s; +static int rustsecp256k1zkp_v0_6_0_pubkey_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ge* ge, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey) { + if (sizeof(rustsecp256k1zkp_v0_6_0_ge_storage) == 64) { + /* When the rustsecp256k1zkp_v0_6_0_ge_storage type is exactly 64 byte, use its + * representation inside rustsecp256k1zkp_v0_6_0_pubkey, as conversion is very fast. + * Note that rustsecp256k1zkp_v0_6_0_pubkey_save must use the same representation. */ + rustsecp256k1zkp_v0_6_0_ge_storage s; memcpy(&s, &pubkey->data[0], sizeof(s)); - rustsecp256k1zkp_v0_5_0_ge_from_storage(ge, &s); + rustsecp256k1zkp_v0_6_0_ge_from_storage(ge, &s); } else { /* Otherwise, fall back to 32-byte big endian for X and Y. */ - rustsecp256k1zkp_v0_5_0_fe x, y; - rustsecp256k1zkp_v0_5_0_fe_set_b32(&x, pubkey->data); - rustsecp256k1zkp_v0_5_0_fe_set_b32(&y, pubkey->data + 32); - rustsecp256k1zkp_v0_5_0_ge_set_xy(ge, &x, &y); + rustsecp256k1zkp_v0_6_0_fe x, y; + rustsecp256k1zkp_v0_6_0_fe_set_b32(&x, pubkey->data); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&y, pubkey->data + 32); + rustsecp256k1zkp_v0_6_0_ge_set_xy(ge, &x, &y); } - ARG_CHECK(!rustsecp256k1zkp_v0_5_0_fe_is_zero(&ge->x)); + ARG_CHECK(!rustsecp256k1zkp_v0_6_0_fe_is_zero(&ge->x)); return 1; } -static void rustsecp256k1zkp_v0_5_0_pubkey_save(rustsecp256k1zkp_v0_5_0_pubkey* pubkey, rustsecp256k1zkp_v0_5_0_ge* ge) { - if (sizeof(rustsecp256k1zkp_v0_5_0_ge_storage) == 64) { - rustsecp256k1zkp_v0_5_0_ge_storage s; - rustsecp256k1zkp_v0_5_0_ge_to_storage(&s, ge); +static void rustsecp256k1zkp_v0_6_0_pubkey_save(rustsecp256k1zkp_v0_6_0_pubkey* pubkey, rustsecp256k1zkp_v0_6_0_ge* ge) { + if (sizeof(rustsecp256k1zkp_v0_6_0_ge_storage) == 64) { + rustsecp256k1zkp_v0_6_0_ge_storage s; + rustsecp256k1zkp_v0_6_0_ge_to_storage(&s, ge); memcpy(&pubkey->data[0], &s, sizeof(s)); } else { - VERIFY_CHECK(!rustsecp256k1zkp_v0_5_0_ge_is_infinity(ge)); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge->x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge->y); - rustsecp256k1zkp_v0_5_0_fe_get_b32(pubkey->data, &ge->x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(pubkey->data + 32, &ge->y); + VERIFY_CHECK(!rustsecp256k1zkp_v0_6_0_ge_is_infinity(ge)); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge->x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge->y); + rustsecp256k1zkp_v0_6_0_fe_get_b32(pubkey->data, &ge->x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(pubkey->data + 32, &ge->y); } } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey* pubkey, const unsigned char *input, size_t inputlen) { - rustsecp256k1zkp_v0_5_0_ge Q; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey* pubkey, const unsigned char *input, size_t inputlen) { + rustsecp256k1zkp_v0_6_0_ge Q; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); ARG_CHECK(input != NULL); - if (!rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&Q, input, inputlen)) { + if (!rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&Q, input, inputlen)) { return 0; } - if (!rustsecp256k1zkp_v0_5_0_ge_is_in_correct_subgroup(&Q)) { + if (!rustsecp256k1zkp_v0_6_0_ge_is_in_correct_subgroup(&Q)) { return 0; } - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &Q); - rustsecp256k1zkp_v0_5_0_ge_clear(&Q); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &Q); + rustsecp256k1zkp_v0_6_0_ge_clear(&Q); return 1; } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_5_0_pubkey* pubkey, unsigned int flags) { - rustsecp256k1zkp_v0_5_0_ge Q; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey, unsigned int flags) { + rustsecp256k1zkp_v0_6_0_ge Q; size_t len; int ret = 0; @@ -331,8 +336,8 @@ int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_5_0_co memset(output, 0, len); ARG_CHECK(pubkey != NULL); ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); - if (rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &Q, pubkey)) { - ret = rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); + if (rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &Q, pubkey)) { + ret = rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); if (ret) { *outputlen = len; } @@ -340,39 +345,65 @@ int rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(const rustsecp256k1zkp_v0_5_0_co return ret; } -static void rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar* r, rustsecp256k1zkp_v0_5_0_scalar* s, const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig) { +int rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey0, const rustsecp256k1zkp_v0_6_0_pubkey* pubkey1) { + unsigned char out[2][33]; + const rustsecp256k1zkp_v0_6_0_pubkey* pk[2]; + int i; + + VERIFY_CHECK(ctx != NULL); + pk[0] = pubkey0; pk[1] = pubkey1; + for (i = 0; i < 2; i++) { + size_t out_size = sizeof(out[i]); + /* If the public key is NULL or invalid, ec_pubkey_serialize will call + * the illegal_callback and return 0. In that case we will serialize the + * key as all zeros which is less than any valid public key. This + * results in consistent comparisons even if NULL or invalid pubkeys are + * involved and prevents edge cases such as sorting algorithms that use + * this function and do not terminate as a result. */ + if (!rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) { + /* Note that ec_pubkey_serialize should already set the output to + * zero in that case, but it's not guaranteed by the API, we can't + * test it and writing a VERIFY_CHECK is more complex than + * explicitly memsetting (again). */ + memset(out[i], 0, sizeof(out[i])); + } + } + return rustsecp256k1zkp_v0_6_0_memcmp_var(out[0], out[1], sizeof(out[0])); +} + +static void rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar* r, rustsecp256k1zkp_v0_6_0_scalar* s, const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig) { (void)ctx; - if (sizeof(rustsecp256k1zkp_v0_5_0_scalar) == 32) { - /* When the rustsecp256k1zkp_v0_5_0_scalar type is exactly 32 byte, use its - * representation inside rustsecp256k1zkp_v0_5_0_ecdsa_signature, as conversion is very fast. - * Note that rustsecp256k1zkp_v0_5_0_ecdsa_signature_save must use the same representation. */ + if (sizeof(rustsecp256k1zkp_v0_6_0_scalar) == 32) { + /* When the rustsecp256k1zkp_v0_6_0_scalar type is exactly 32 byte, use its + * representation inside rustsecp256k1zkp_v0_6_0_ecdsa_signature, as conversion is very fast. + * Note that rustsecp256k1zkp_v0_6_0_ecdsa_signature_save must use the same representation. */ memcpy(r, &sig->data[0], 32); memcpy(s, &sig->data[32], 32); } else { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, &sig->data[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(s, &sig->data[32], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(r, &sig->data[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(s, &sig->data[32], NULL); } } -static void rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const rustsecp256k1zkp_v0_5_0_scalar* r, const rustsecp256k1zkp_v0_5_0_scalar* s) { - if (sizeof(rustsecp256k1zkp_v0_5_0_scalar) == 32) { +static void rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const rustsecp256k1zkp_v0_6_0_scalar* r, const rustsecp256k1zkp_v0_6_0_scalar* s) { + if (sizeof(rustsecp256k1zkp_v0_6_0_scalar) == 32) { memcpy(&sig->data[0], r, 32); memcpy(&sig->data[32], s, 32); } else { - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig->data[0], r); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&sig->data[32], s); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig->data[0], r); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&sig->data[32], s); } } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { + rustsecp256k1zkp_v0_6_0_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(input != NULL); - if (rustsecp256k1zkp_v0_5_0_ecdsa_sig_parse(&r, &s, input, inputlen)) { - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sig, &r, &s); + if (rustsecp256k1zkp_v0_6_0_ecdsa_sig_parse(&r, &s, input, inputlen)) { + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sig, &r, &s); return 1; } else { memset(sig, 0, sizeof(*sig)); @@ -380,8 +411,8 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(const rustsecp256k1zkp_v0_ } } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig, const unsigned char *input64) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig, const unsigned char *input64) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret = 1; int overflow = 0; @@ -389,77 +420,77 @@ int rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(const rustsecp256k1zkp ARG_CHECK(sig != NULL); ARG_CHECK(input64 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&r, &input64[0], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&r, &input64[0], &overflow); ret &= !overflow; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s, &input64[32], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s, &input64[32], &overflow); ret &= !overflow; if (ret) { - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sig, &r, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sig, &r, &s); } else { memset(sig, 0, sizeof(*sig)); } return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig) { + rustsecp256k1zkp_v0_6_0_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output != NULL); ARG_CHECK(outputlen != NULL); ARG_CHECK(sig != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sig); - return rustsecp256k1zkp_v0_5_0_ecdsa_sig_serialize(output, outputlen, &r, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sig); + return rustsecp256k1zkp_v0_6_0_ecdsa_sig_serialize(output, outputlen, &r, &s); } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *output64, const rustsecp256k1zkp_v0_5_0_ecdsa_signature* sig) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *output64, const rustsecp256k1zkp_v0_6_0_ecdsa_signature* sig) { + rustsecp256k1zkp_v0_6_0_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output64 != NULL); ARG_CHECK(sig != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sig); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&output64[0], &r); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(&output64[32], &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sig); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&output64[0], &r); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(&output64[32], &s); return 1; } -int rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigout, const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sigin) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigout, const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sigin) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(sigin != NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sigin); - ret = rustsecp256k1zkp_v0_5_0_scalar_is_high(&s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sigin); + ret = rustsecp256k1zkp_v0_6_0_scalar_is_high(&s); if (sigout != NULL) { if (ret) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, &s); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, &s); } - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(sigout, &r, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(sigout, &r, &s); } return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig, const unsigned char *msghash32, const rustsecp256k1zkp_v0_5_0_pubkey *pubkey) { - rustsecp256k1zkp_v0_5_0_ge q; - rustsecp256k1zkp_v0_5_0_scalar r, s; - rustsecp256k1zkp_v0_5_0_scalar m; +int rustsecp256k1zkp_v0_6_0_ecdsa_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig, const unsigned char *msghash32, const rustsecp256k1zkp_v0_6_0_pubkey *pubkey) { + rustsecp256k1zkp_v0_6_0_ge q; + rustsecp256k1zkp_v0_6_0_scalar r, s; + rustsecp256k1zkp_v0_6_0_scalar m; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(msghash32 != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(pubkey != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&m, msghash32, NULL); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, sig); - return (!rustsecp256k1zkp_v0_5_0_scalar_is_high(&s) && - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &q, pubkey) && - rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&m, msghash32, NULL); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, sig); + return (!rustsecp256k1zkp_v0_6_0_scalar_is_high(&s) && + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &q, pubkey) && + rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); } static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) { @@ -470,7 +501,7 @@ static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *off static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { unsigned char keydata[112]; unsigned int offset = 0; - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 rng; + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 rng; unsigned int i; /* We feed a byte array to the PRNG as input, consisting of: * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. @@ -488,80 +519,80 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m if (algo16 != NULL) { buffer_append(keydata, &offset, algo16, 16); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); memset(keydata, 0, sizeof(keydata)); for (i = 0; i <= counter; i++) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(&rng); return 1; } -const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_rfc6979 = nonce_function_rfc6979; -const rustsecp256k1zkp_v0_5_0_nonce_function rustsecp256k1zkp_v0_5_0_nonce_function_default = nonce_function_rfc6979; +const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_rfc6979 = nonce_function_rfc6979; +const rustsecp256k1zkp_v0_6_0_nonce_function rustsecp256k1zkp_v0_6_0_nonce_function_default = nonce_function_rfc6979; -static int rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_scalar* r, rustsecp256k1zkp_v0_5_0_scalar* s, int* recid, rustsecp256k1zkp_v0_5_0_sha256* s2c_sha, rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening *s2c_opening, const unsigned char* s2c_data32, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1zkp_v0_5_0_nonce_function noncefp, const void* noncedata) { - rustsecp256k1zkp_v0_5_0_scalar sec, non, msg; +static int rustsecp256k1zkp_v0_6_0_ecdsa_sign_inner(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_scalar* r, rustsecp256k1zkp_v0_6_0_scalar* s, int* recid, rustsecp256k1zkp_v0_6_0_sha256* s2c_sha, rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening *s2c_opening, const unsigned char* s2c_data32, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void* noncedata) { + rustsecp256k1zkp_v0_6_0_scalar sec, non, msg; int ret = 0; int is_sec_valid; unsigned char nonce32[32]; unsigned int count = 0; /* Default initialization here is important so we won't pass uninit values to the cmov in the end */ - *r = rustsecp256k1zkp_v0_5_0_scalar_zero; - *s = rustsecp256k1zkp_v0_5_0_scalar_zero; + *r = rustsecp256k1zkp_v0_6_0_scalar_zero; + *s = rustsecp256k1zkp_v0_6_0_scalar_zero; if (recid) { *recid = 0; } if (noncefp == NULL) { - noncefp = rustsecp256k1zkp_v0_5_0_nonce_function_default; + noncefp = rustsecp256k1zkp_v0_6_0_nonce_function_default; } /* sign-to-contract commitments only work with the default nonce function, * because we need to ensure that s2c_data is actually hashed into the nonce and * not just ignored. Otherwise an attacker can exfiltrate the secret key by * signing the same message thrice with different commitments. */ - VERIFY_CHECK(s2c_data32 == NULL || noncefp == rustsecp256k1zkp_v0_5_0_nonce_function_default); + VERIFY_CHECK(s2c_data32 == NULL || noncefp == rustsecp256k1zkp_v0_6_0_nonce_function_default); /* Fail if the secret key is invalid. */ - is_sec_valid = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_one, !is_sec_valid); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&msg, msg32, NULL); + is_sec_valid = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_one, !is_sec_valid); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&msg, msg32, NULL); while (1) { int is_nonce_valid; ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); if (!ret) { break; } - is_nonce_valid = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&non, nonce32); + is_nonce_valid = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&non, nonce32); /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); if (is_nonce_valid) { if (s2c_data32 != NULL) { - rustsecp256k1zkp_v0_5_0_gej nonce_pj; - rustsecp256k1zkp_v0_5_0_ge nonce_p; + rustsecp256k1zkp_v0_6_0_gej nonce_pj; + rustsecp256k1zkp_v0_6_0_ge nonce_p; /* Compute original nonce commitment/pubkey */ - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_pj, &non); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&nonce_p, &nonce_pj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_pj, &non); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&nonce_p, &nonce_pj); if (s2c_opening != NULL) { - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening_save(s2c_opening, &nonce_p); + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening_save(s2c_opening, &nonce_p); } /* Because the nonce is valid, the nonce point isn't the point * at infinity and we can declassify that information to be able to * serialize the point. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &nonce_p.infinity, sizeof(nonce_p.infinity)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &nonce_p.infinity, sizeof(nonce_p.infinity)); /* Tweak nonce with s2c commitment. */ - ret = rustsecp256k1zkp_v0_5_0_ec_commit_seckey(&non, &nonce_p, s2c_sha, s2c_data32, 32); - rustsecp256k1zkp_v0_5_0_declassify(ctx, &ret, sizeof(ret)); /* may be secret that the tweak falied, but happens with negligible probability */ + ret = rustsecp256k1zkp_v0_6_0_ec_commit_seckey(&non, &nonce_p, s2c_sha, s2c_data32, 32); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &ret, sizeof(ret)); /* may be secret that the tweak falied, but happens with negligible probability */ if (!ret) { break; } } - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid); /* The final signature is no longer a secret, nor is the fact that we were successful or not. */ - rustsecp256k1zkp_v0_5_0_declassify(ctx, &ret, sizeof(ret)); + rustsecp256k1zkp_v0_6_0_declassify(ctx, &ret, sizeof(ret)); if (ret) { break; } @@ -573,204 +604,204 @@ static int rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(const rustsecp256k1zkp_v0_5_ * used as a branching variable. */ ret &= is_sec_valid; memset(nonce32, 0, 32); - rustsecp256k1zkp_v0_5_0_scalar_clear(&msg); - rustsecp256k1zkp_v0_5_0_scalar_clear(&non); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); - rustsecp256k1zkp_v0_5_0_scalar_cmov(r, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_cmov(s, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_clear(&msg); + rustsecp256k1zkp_v0_6_0_scalar_clear(&non); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_cmov(r, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_cmov(s, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); if (recid) { const int zero = 0; - rustsecp256k1zkp_v0_5_0_int_cmov(recid, &zero, !ret); + rustsecp256k1zkp_v0_6_0_int_cmov(recid, &zero, !ret); } return ret; } -int rustsecp256k1zkp_v0_5_0_ecdsa_sign(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, rustsecp256k1zkp_v0_5_0_nonce_function noncefp, const void* noncedata) { - rustsecp256k1zkp_v0_5_0_scalar r, s; +int rustsecp256k1zkp_v0_6_0_ecdsa_sign(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, rustsecp256k1zkp_v0_6_0_nonce_function noncefp, const void* noncedata) { + rustsecp256k1zkp_v0_6_0_scalar r, s; int ret; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(msghash32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sign_inner(ctx, &r, &s, NULL, NULL, NULL, NULL, msghash32, seckey, noncefp, noncedata); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(signature, &r, &s); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sign_inner(ctx, &r, &s, NULL, NULL, NULL, NULL, msghash32, seckey, noncefp, noncedata); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(signature, &r, &s); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_verify(const rustsecp256k1zkp_v0_5_0_context* ctx, const unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_verify(const rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_scalar sec; int ret; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } -static int rustsecp256k1zkp_v0_5_0_ec_pubkey_create_helper(const rustsecp256k1zkp_v0_5_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_5_0_scalar *seckey_scalar, rustsecp256k1zkp_v0_5_0_ge *p, const unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_gej pj; +static int rustsecp256k1zkp_v0_6_0_ec_pubkey_create_helper(const rustsecp256k1zkp_v0_6_0_ecmult_gen_context *ecmult_gen_ctx, rustsecp256k1zkp_v0_6_0_scalar *seckey_scalar, rustsecp256k1zkp_v0_6_0_ge *p, const unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_gej pj; int ret; - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(seckey_scalar, seckey); - rustsecp256k1zkp_v0_5_0_scalar_cmov(seckey_scalar, &rustsecp256k1zkp_v0_5_0_scalar_one, !ret); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(seckey_scalar, seckey); + rustsecp256k1zkp_v0_6_0_scalar_cmov(seckey_scalar, &rustsecp256k1zkp_v0_6_0_scalar_one, !ret); - rustsecp256k1zkp_v0_5_0_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar); - rustsecp256k1zkp_v0_5_0_ge_set_gej(p, &pj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar); + rustsecp256k1zkp_v0_6_0_ge_set_gej(p, &pj); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_create(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_ge p; - rustsecp256k1zkp_v0_5_0_scalar seckey_scalar; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_create(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_ge p; + rustsecp256k1zkp_v0_6_0_scalar seckey_scalar; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey); - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); - rustsecp256k1zkp_v0_5_0_memczero(pubkey, sizeof(*pubkey), !ret); + ret = rustsecp256k1zkp_v0_6_0_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); + rustsecp256k1zkp_v0_6_0_memczero(pubkey, sizeof(*pubkey), !ret); - rustsecp256k1zkp_v0_5_0_scalar_clear(&seckey_scalar); + rustsecp256k1zkp_v0_6_0_scalar_clear(&seckey_scalar); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_negate(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey) { - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_negate(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey) { + rustsecp256k1zkp_v0_6_0_scalar sec; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_negate(&sec, &sec); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &sec); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_negate(&sec, &sec); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_privkey_negate(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey) { - return rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, seckey); +int rustsecp256k1zkp_v0_6_0_ec_privkey_negate(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey) { + return rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, seckey); } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey) { +int rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey) { int ret = 0; - rustsecp256k1zkp_v0_5_0_ge p; + rustsecp256k1zkp_v0_6_0_ge p; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); - ret = rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &p, pubkey); + ret = rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); if (ret) { - rustsecp256k1zkp_v0_5_0_ge_neg(&p, &p); - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); + rustsecp256k1zkp_v0_6_0_ge_neg(&p, &p); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); } return ret; } -static int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_5_0_scalar *sec, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar term; +static int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(rustsecp256k1zkp_v0_6_0_scalar *sec, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar term; int overflow = 0; int ret = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&term, tweak32, &overflow); - ret = (!overflow) & rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_add(sec, &term); - rustsecp256k1zkp_v0_5_0_scalar_clear(&term); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&term, tweak32, &overflow); + ret = (!overflow) & rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_add(sec, &term); + rustsecp256k1zkp_v0_6_0_scalar_clear(&term); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar sec; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); ARG_CHECK(tweak32 != NULL); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - ret &= rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add_helper(&sec, tweak32); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &sec); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + ret &= rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add_helper(&sec, tweak32); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - return rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, seckey, tweak32); +int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + return rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, seckey, tweak32); } -static int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_5_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_5_0_ge *p, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar term; +static int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(const rustsecp256k1zkp_v0_6_0_ecmult_context* ecmult_ctx, rustsecp256k1zkp_v0_6_0_ge *p, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar term; int overflow = 0; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&term, tweak32, &overflow); - return !overflow && rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_add(ecmult_ctx, p, &term); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&term, tweak32, &overflow); + return !overflow && rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_add(ecmult_ctx, p, &term); } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge p; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge p; int ret = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(pubkey != NULL); ARG_CHECK(tweak32 != NULL); - ret = rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &p, pubkey); + ret = rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); - ret = ret && rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32); + ret = ret && rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32); if (ret) { - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); } return ret; } -int rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_scalar factor; - rustsecp256k1zkp_v0_5_0_scalar sec; +int rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_scalar factor; + rustsecp256k1zkp_v0_6_0_scalar sec; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); ARG_CHECK(tweak32 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&factor, tweak32, &overflow); - ret = rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&sec, seckey); - ret &= (!overflow) & rustsecp256k1zkp_v0_5_0_eckey_privkey_tweak_mul(&sec, &factor); - rustsecp256k1zkp_v0_5_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_5_0_scalar_zero, !ret); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &sec); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&factor, tweak32, &overflow); + ret = rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&sec, seckey); + ret &= (!overflow) & rustsecp256k1zkp_v0_6_0_eckey_privkey_tweak_mul(&sec, &factor); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&sec, &rustsecp256k1zkp_v0_6_0_scalar_zero, !ret); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sec); - rustsecp256k1zkp_v0_5_0_scalar_clear(&factor); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sec); + rustsecp256k1zkp_v0_6_0_scalar_clear(&factor); return ret; } -int rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { - return rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, seckey, tweak32); +int rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_mul(const rustsecp256k1zkp_v0_6_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { + return rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, seckey, tweak32); } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubkey, const unsigned char *tweak32) { - rustsecp256k1zkp_v0_5_0_ge p; - rustsecp256k1zkp_v0_5_0_scalar factor; +int rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubkey, const unsigned char *tweak32) { + rustsecp256k1zkp_v0_6_0_ge p; + rustsecp256k1zkp_v0_6_0_scalar factor; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1zkp_v0_5_0_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1zkp_v0_6_0_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(pubkey != NULL); ARG_CHECK(tweak32 != NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&factor, tweak32, &overflow); - ret = !overflow && rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &p, pubkey); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&factor, tweak32, &overflow); + ret = !overflow && rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); if (ret) { - if (rustsecp256k1zkp_v0_5_0_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { - rustsecp256k1zkp_v0_5_0_pubkey_save(pubkey, &p); + if (rustsecp256k1zkp_v0_6_0_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { + rustsecp256k1zkp_v0_6_0_pubkey_save(pubkey, &p); } else { ret = 0; } @@ -779,35 +810,35 @@ int rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(const rustsecp256k1zkp_v0_5_0_co return ret; } -int rustsecp256k1zkp_v0_5_0_context_randomize(rustsecp256k1zkp_v0_5_0_context* ctx, const unsigned char *seed32) { +int rustsecp256k1zkp_v0_6_0_context_randomize(rustsecp256k1zkp_v0_6_0_context* ctx, const unsigned char *seed32) { VERIFY_CHECK(ctx != NULL); - if (rustsecp256k1zkp_v0_5_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { - rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); + if (rustsecp256k1zkp_v0_6_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); } return 1; } -int rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(const rustsecp256k1zkp_v0_5_0_context* ctx, rustsecp256k1zkp_v0_5_0_pubkey *pubnonce, const rustsecp256k1zkp_v0_5_0_pubkey * const *pubnonces, size_t n) { +int rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(const rustsecp256k1zkp_v0_6_0_context* ctx, rustsecp256k1zkp_v0_6_0_pubkey *pubnonce, const rustsecp256k1zkp_v0_6_0_pubkey * const *pubnonces, size_t n) { size_t i; - rustsecp256k1zkp_v0_5_0_gej Qj; - rustsecp256k1zkp_v0_5_0_ge Q; + rustsecp256k1zkp_v0_6_0_gej Qj; + rustsecp256k1zkp_v0_6_0_ge Q; ARG_CHECK(pubnonce != NULL); memset(pubnonce, 0, sizeof(*pubnonce)); ARG_CHECK(n >= 1); ARG_CHECK(pubnonces != NULL); - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&Qj); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&Qj); for (i = 0; i < n; i++) { - rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &Q, pubnonces[i]); - rustsecp256k1zkp_v0_5_0_gej_add_ge(&Qj, &Qj, &Q); + rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &Q, pubnonces[i]); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&Qj, &Qj, &Q); } - if (rustsecp256k1zkp_v0_5_0_gej_is_infinity(&Qj)) { + if (rustsecp256k1zkp_v0_6_0_gej_is_infinity(&Qj)) { return 0; } - rustsecp256k1zkp_v0_5_0_ge_set_gej(&Q, &Qj); - rustsecp256k1zkp_v0_5_0_pubkey_save(pubnonce, &Q); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&Q, &Qj); + rustsecp256k1zkp_v0_6_0_pubkey_save(pubnonce, &Q); return 1; } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/selftest.h b/secp256k1-zkp-sys/depend/secp256k1/src/selftest.h index 2246fc1e..73b35f38 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/selftest.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/selftest.h @@ -11,22 +11,22 @@ #include -static int rustsecp256k1zkp_v0_5_0_selftest_sha256(void) { +static int rustsecp256k1zkp_v0_6_0_selftest_sha256(void) { static const char *input63 = "For this sample, this 63-byte string will be used as input data"; static const unsigned char output32[32] = { 0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42, }; unsigned char out[32]; - rustsecp256k1zkp_v0_5_0_sha256 hasher; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&hasher); - rustsecp256k1zkp_v0_5_0_sha256_write(&hasher, (const unsigned char*)input63, 63); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&hasher, out); - return rustsecp256k1zkp_v0_5_0_memcmp_var(out, output32, 32) == 0; + rustsecp256k1zkp_v0_6_0_sha256 hasher; + rustsecp256k1zkp_v0_6_0_sha256_initialize(&hasher); + rustsecp256k1zkp_v0_6_0_sha256_write(&hasher, (const unsigned char*)input63, 63); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&hasher, out); + return rustsecp256k1zkp_v0_6_0_memcmp_var(out, output32, 32) == 0; } -static int rustsecp256k1zkp_v0_5_0_selftest(void) { - return rustsecp256k1zkp_v0_5_0_selftest_sha256(); +static int rustsecp256k1zkp_v0_6_0_selftest(void) { + return rustsecp256k1zkp_v0_6_0_selftest_sha256(); } #endif /* SECP256K1_SELFTEST_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/testrand.h b/secp256k1-zkp-sys/depend/secp256k1/src/testrand.h index 3c7547df..e95d9b58 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/testrand.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/testrand.h @@ -14,37 +14,37 @@ /* A non-cryptographic RNG used only for test infrastructure. */ /** Seed the pseudorandom number generator for testing. */ -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_testrand_seed(const unsigned char *seed16); +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_testrand_seed(const unsigned char *seed16); /** Generate a pseudorandom number in the range [0..2**32-1]. */ -static uint32_t rustsecp256k1zkp_v0_5_0_testrand32(void); +static uint32_t rustsecp256k1zkp_v0_6_0_testrand32(void); /** Generate a pseudorandom number in the range [0..2**bits-1]. Bits must be 1 or * more. */ -static uint32_t rustsecp256k1zkp_v0_5_0_testrand_bits(int bits); +static uint32_t rustsecp256k1zkp_v0_6_0_testrand_bits(int bits); /** Generate a pseudorandom number in the range [0..range-1]. */ -static uint32_t rustsecp256k1zkp_v0_5_0_testrand_int(uint32_t range); +static uint32_t rustsecp256k1zkp_v0_6_0_testrand_int(uint32_t range); /** Generate a pseudorandom 32-byte array. */ -static void rustsecp256k1zkp_v0_5_0_testrand256(unsigned char *b32); +static void rustsecp256k1zkp_v0_6_0_testrand256(unsigned char *b32); /** Generate a pseudorandom 32-byte array with long sequences of zero and one bits. */ -static void rustsecp256k1zkp_v0_5_0_testrand256_test(unsigned char *b32); +static void rustsecp256k1zkp_v0_6_0_testrand256_test(unsigned char *b32); /** Generate pseudorandom bytes with long sequences of zero and one bits. */ -static void rustsecp256k1zkp_v0_5_0_testrand_bytes_test(unsigned char *bytes, size_t len); +static void rustsecp256k1zkp_v0_6_0_testrand_bytes_test(unsigned char *bytes, size_t len); /** Generate a pseudorandom 64-bit integer in the range min..max, inclusive. */ -static int64_t rustsecp256k1zkp_v0_5_0_testrandi64(uint64_t min, uint64_t max); +static int64_t rustsecp256k1zkp_v0_6_0_testrandi64(uint64_t min, uint64_t max); /** Flip a single random bit in a byte array */ -static void rustsecp256k1zkp_v0_5_0_testrand_flip(unsigned char *b, size_t len); +static void rustsecp256k1zkp_v0_6_0_testrand_flip(unsigned char *b, size_t len); /** Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL. */ -static void rustsecp256k1zkp_v0_5_0_testrand_init(const char* hexseed); +static void rustsecp256k1zkp_v0_6_0_testrand_init(const char* hexseed); /** Print final test information. */ -static void rustsecp256k1zkp_v0_5_0_testrand_finish(void); +static void rustsecp256k1zkp_v0_6_0_testrand_finish(void); #endif /* SECP256K1_TESTRAND_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/testrand_impl.h b/secp256k1-zkp-sys/depend/secp256k1/src/testrand_impl.h index 00541082..1444c4b4 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/testrand_impl.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/testrand_impl.h @@ -15,38 +15,38 @@ #include "testrand.h" #include "hash.h" -static rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 rustsecp256k1zkp_v0_5_0_test_rng; -static uint32_t rustsecp256k1zkp_v0_5_0_test_rng_precomputed[8]; -static int rustsecp256k1zkp_v0_5_0_test_rng_precomputed_used = 8; -static uint64_t rustsecp256k1zkp_v0_5_0_test_rng_integer; -static int rustsecp256k1zkp_v0_5_0_test_rng_integer_bits_left = 0; - -SECP256K1_INLINE static void rustsecp256k1zkp_v0_5_0_testrand_seed(const unsigned char *seed16) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rustsecp256k1zkp_v0_5_0_test_rng, seed16, 16); +static rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 rustsecp256k1zkp_v0_6_0_test_rng; +static uint32_t rustsecp256k1zkp_v0_6_0_test_rng_precomputed[8]; +static int rustsecp256k1zkp_v0_6_0_test_rng_precomputed_used = 8; +static uint64_t rustsecp256k1zkp_v0_6_0_test_rng_integer; +static int rustsecp256k1zkp_v0_6_0_test_rng_integer_bits_left = 0; + +SECP256K1_INLINE static void rustsecp256k1zkp_v0_6_0_testrand_seed(const unsigned char *seed16) { + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rustsecp256k1zkp_v0_6_0_test_rng, seed16, 16); } -SECP256K1_INLINE static uint32_t rustsecp256k1zkp_v0_5_0_testrand32(void) { - if (rustsecp256k1zkp_v0_5_0_test_rng_precomputed_used == 8) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, (unsigned char*)(&rustsecp256k1zkp_v0_5_0_test_rng_precomputed[0]), sizeof(rustsecp256k1zkp_v0_5_0_test_rng_precomputed)); - rustsecp256k1zkp_v0_5_0_test_rng_precomputed_used = 0; +SECP256K1_INLINE static uint32_t rustsecp256k1zkp_v0_6_0_testrand32(void) { + if (rustsecp256k1zkp_v0_6_0_test_rng_precomputed_used == 8) { + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, (unsigned char*)(&rustsecp256k1zkp_v0_6_0_test_rng_precomputed[0]), sizeof(rustsecp256k1zkp_v0_6_0_test_rng_precomputed)); + rustsecp256k1zkp_v0_6_0_test_rng_precomputed_used = 0; } - return rustsecp256k1zkp_v0_5_0_test_rng_precomputed[rustsecp256k1zkp_v0_5_0_test_rng_precomputed_used++]; + return rustsecp256k1zkp_v0_6_0_test_rng_precomputed[rustsecp256k1zkp_v0_6_0_test_rng_precomputed_used++]; } -static uint32_t rustsecp256k1zkp_v0_5_0_testrand_bits(int bits) { +static uint32_t rustsecp256k1zkp_v0_6_0_testrand_bits(int bits) { uint32_t ret; - if (rustsecp256k1zkp_v0_5_0_test_rng_integer_bits_left < bits) { - rustsecp256k1zkp_v0_5_0_test_rng_integer |= (((uint64_t)rustsecp256k1zkp_v0_5_0_testrand32()) << rustsecp256k1zkp_v0_5_0_test_rng_integer_bits_left); - rustsecp256k1zkp_v0_5_0_test_rng_integer_bits_left += 32; + if (rustsecp256k1zkp_v0_6_0_test_rng_integer_bits_left < bits) { + rustsecp256k1zkp_v0_6_0_test_rng_integer |= (((uint64_t)rustsecp256k1zkp_v0_6_0_testrand32()) << rustsecp256k1zkp_v0_6_0_test_rng_integer_bits_left); + rustsecp256k1zkp_v0_6_0_test_rng_integer_bits_left += 32; } - ret = rustsecp256k1zkp_v0_5_0_test_rng_integer; - rustsecp256k1zkp_v0_5_0_test_rng_integer >>= bits; - rustsecp256k1zkp_v0_5_0_test_rng_integer_bits_left -= bits; + ret = rustsecp256k1zkp_v0_6_0_test_rng_integer; + rustsecp256k1zkp_v0_6_0_test_rng_integer >>= bits; + rustsecp256k1zkp_v0_6_0_test_rng_integer_bits_left -= bits; ret &= ((~((uint32_t)0)) >> (32 - bits)); return ret; } -static uint32_t rustsecp256k1zkp_v0_5_0_testrand_int(uint32_t range) { +static uint32_t rustsecp256k1zkp_v0_6_0_testrand_int(uint32_t range) { /* We want a uniform integer between 0 and range-1, inclusive. * B is the smallest number such that range <= 2**B. * two mechanisms implemented here: @@ -78,25 +78,25 @@ static uint32_t rustsecp256k1zkp_v0_5_0_testrand_int(uint32_t range) { mult = 1; } while(1) { - uint32_t x = rustsecp256k1zkp_v0_5_0_testrand_bits(bits); + uint32_t x = rustsecp256k1zkp_v0_6_0_testrand_bits(bits); if (x < trange) { return (mult == 1) ? x : (x % range); } } } -static void rustsecp256k1zkp_v0_5_0_testrand256(unsigned char *b32) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_5_0_test_rng, b32, 32); +static void rustsecp256k1zkp_v0_6_0_testrand256(unsigned char *b32) { + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rustsecp256k1zkp_v0_6_0_test_rng, b32, 32); } -static void rustsecp256k1zkp_v0_5_0_testrand_bytes_test(unsigned char *bytes, size_t len) { +static void rustsecp256k1zkp_v0_6_0_testrand_bytes_test(unsigned char *bytes, size_t len) { size_t bits = 0; memset(bytes, 0, len); while (bits < len * 8) { int now; uint32_t val; - now = 1 + (rustsecp256k1zkp_v0_5_0_testrand_bits(6) * rustsecp256k1zkp_v0_5_0_testrand_bits(5) + 16) / 31; - val = rustsecp256k1zkp_v0_5_0_testrand_bits(1); + now = 1 + (rustsecp256k1zkp_v0_6_0_testrand_bits(6) * rustsecp256k1zkp_v0_6_0_testrand_bits(5) + 16) / 31; + val = rustsecp256k1zkp_v0_6_0_testrand_bits(1); while (now > 0 && bits < len * 8) { bytes[bits / 8] |= val << (bits % 8); now--; @@ -105,11 +105,11 @@ static void rustsecp256k1zkp_v0_5_0_testrand_bytes_test(unsigned char *bytes, si } } -static void rustsecp256k1zkp_v0_5_0_testrand256_test(unsigned char *b32) { - rustsecp256k1zkp_v0_5_0_testrand_bytes_test(b32, 32); +static void rustsecp256k1zkp_v0_6_0_testrand256_test(unsigned char *b32) { + rustsecp256k1zkp_v0_6_0_testrand_bytes_test(b32, 32); } -SECP256K1_INLINE static int64_t rustsecp256k1zkp_v0_5_0_testrandi64(uint64_t min, uint64_t max) { +SECP256K1_INLINE static int64_t rustsecp256k1zkp_v0_6_0_testrandi64(uint64_t min, uint64_t max) { uint64_t range; uint64_t r; uint64_t clz; @@ -118,19 +118,19 @@ SECP256K1_INLINE static int64_t rustsecp256k1zkp_v0_5_0_testrandi64(uint64_t min return min; } range = max - min; - clz = rustsecp256k1zkp_v0_5_0_clz64_var(range); + clz = rustsecp256k1zkp_v0_6_0_clz64_var(range); do { - r = ((uint64_t)rustsecp256k1zkp_v0_5_0_testrand32() << 32) | rustsecp256k1zkp_v0_5_0_testrand32(); + r = ((uint64_t)rustsecp256k1zkp_v0_6_0_testrand32() << 32) | rustsecp256k1zkp_v0_6_0_testrand32(); r >>= clz; } while (r > range); return min + (int64_t)r; } -static void rustsecp256k1zkp_v0_5_0_testrand_flip(unsigned char *b, size_t len) { - b[rustsecp256k1zkp_v0_5_0_testrand_int(len)] ^= (1 << rustsecp256k1zkp_v0_5_0_testrand_int(8)); +static void rustsecp256k1zkp_v0_6_0_testrand_flip(unsigned char *b, size_t len) { + b[rustsecp256k1zkp_v0_6_0_testrand_int(len)] ^= (1 << rustsecp256k1zkp_v0_6_0_testrand_int(8)); } -static void rustsecp256k1zkp_v0_5_0_testrand_init(const char* hexseed) { +static void rustsecp256k1zkp_v0_6_0_testrand_init(const char* hexseed) { unsigned char seed16[16] = {0}; if (hexseed && strlen(hexseed) != 0) { int pos = 0; @@ -145,7 +145,7 @@ static void rustsecp256k1zkp_v0_5_0_testrand_init(const char* hexseed) { pos++; } } else { - FILE *frand = fopen("/dev/urandom", "r"); + FILE *frand = fopen("/dev/urandom", "rb"); if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) { uint64_t t = time(NULL) * (uint64_t)1337; fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n"); @@ -164,12 +164,12 @@ static void rustsecp256k1zkp_v0_5_0_testrand_init(const char* hexseed) { } printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]); - rustsecp256k1zkp_v0_5_0_testrand_seed(seed16); + rustsecp256k1zkp_v0_6_0_testrand_seed(seed16); } -static void rustsecp256k1zkp_v0_5_0_testrand_finish(void) { +static void rustsecp256k1zkp_v0_6_0_testrand_finish(void) { unsigned char run32[32]; - rustsecp256k1zkp_v0_5_0_testrand256(run32); + rustsecp256k1zkp_v0_6_0_testrand256(run32); printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]); } diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/tests.c b/secp256k1-zkp-sys/depend/secp256k1/src/tests.c index bfeee533..66f9b41a 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/tests.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/tests.c @@ -15,25 +15,31 @@ #include #include "secp256k1.c" -#include "include/secp256k1.h" -#include "include/secp256k1_preallocated.h" +#include "../include/secp256k1.h" +#include "../include/secp256k1_preallocated.h" #include "testrand_impl.h" +#include "util.h" #ifdef ENABLE_OPENSSL_TESTS -#include "openssl/bn.h" -#include "openssl/ec.h" -#include "openssl/ecdsa.h" -#include "openssl/obj_mac.h" +#include +#include +#include +#include # if OPENSSL_VERSION_NUMBER < 0x10100000L void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;} # endif #endif -#include "contrib/lax_der_parsing.c" -#include "contrib/lax_der_privatekey_parsing.c" +#include "../contrib/lax_der_parsing.c" +#include "../contrib/lax_der_privatekey_parsing.c" + +#include "modinv32_impl.h" +#ifdef SECP256K1_WIDEMUL_INT128 +#include "modinv64_impl.h" +#endif static int count = 64; -static rustsecp256k1zkp_v0_5_0_context *ctx = NULL; +static rustsecp256k1zkp_v0_6_0_context *ctx = NULL; static void counting_illegal_callback_fn(const char* str, void* data) { /* Dummy callback function that just counts. */ @@ -51,79 +57,79 @@ static void uncounting_illegal_callback_fn(const char* str, void* data) { (*p)--; } -void random_field_element_test(rustsecp256k1zkp_v0_5_0_fe *fe) { +void random_field_element_test(rustsecp256k1zkp_v0_6_0_fe *fe) { do { unsigned char b32[32]; - rustsecp256k1zkp_v0_5_0_testrand256_test(b32); - if (rustsecp256k1zkp_v0_5_0_fe_set_b32(fe, b32)) { + rustsecp256k1zkp_v0_6_0_testrand256_test(b32); + if (rustsecp256k1zkp_v0_6_0_fe_set_b32(fe, b32)) { break; } } while(1); } -void random_field_element_magnitude(rustsecp256k1zkp_v0_5_0_fe *fe) { - rustsecp256k1zkp_v0_5_0_fe zero; - int n = rustsecp256k1zkp_v0_5_0_testrand_int(9); - rustsecp256k1zkp_v0_5_0_fe_normalize(fe); +void random_field_element_magnitude(rustsecp256k1zkp_v0_6_0_fe *fe) { + rustsecp256k1zkp_v0_6_0_fe zero; + int n = rustsecp256k1zkp_v0_6_0_testrand_int(9); + rustsecp256k1zkp_v0_6_0_fe_normalize(fe); if (n == 0) { return; } - rustsecp256k1zkp_v0_5_0_fe_clear(&zero); - rustsecp256k1zkp_v0_5_0_fe_negate(&zero, &zero, 0); - rustsecp256k1zkp_v0_5_0_fe_mul_int(&zero, n - 1); - rustsecp256k1zkp_v0_5_0_fe_add(fe, &zero); + rustsecp256k1zkp_v0_6_0_fe_clear(&zero); + rustsecp256k1zkp_v0_6_0_fe_negate(&zero, &zero, 0); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&zero, n - 1); + rustsecp256k1zkp_v0_6_0_fe_add(fe, &zero); #ifdef VERIFY CHECK(fe->magnitude == n); #endif } -void random_group_element_test(rustsecp256k1zkp_v0_5_0_ge *ge) { - rustsecp256k1zkp_v0_5_0_fe fe; +void random_group_element_test(rustsecp256k1zkp_v0_6_0_ge *ge) { + rustsecp256k1zkp_v0_6_0_fe fe; do { random_field_element_test(&fe); - if (rustsecp256k1zkp_v0_5_0_ge_set_xo_var(ge, &fe, rustsecp256k1zkp_v0_5_0_testrand_bits(1))) { - rustsecp256k1zkp_v0_5_0_fe_normalize(&ge->y); + if (rustsecp256k1zkp_v0_6_0_ge_set_xo_var(ge, &fe, rustsecp256k1zkp_v0_6_0_testrand_bits(1))) { + rustsecp256k1zkp_v0_6_0_fe_normalize(&ge->y); break; } } while(1); ge->infinity = 0; } -void random_group_element_jacobian_test(rustsecp256k1zkp_v0_5_0_gej *gej, const rustsecp256k1zkp_v0_5_0_ge *ge) { - rustsecp256k1zkp_v0_5_0_fe z2, z3; +void random_group_element_jacobian_test(rustsecp256k1zkp_v0_6_0_gej *gej, const rustsecp256k1zkp_v0_6_0_ge *ge) { + rustsecp256k1zkp_v0_6_0_fe z2, z3; do { random_field_element_test(&gej->z); - if (!rustsecp256k1zkp_v0_5_0_fe_is_zero(&gej->z)) { + if (!rustsecp256k1zkp_v0_6_0_fe_is_zero(&gej->z)) { break; } } while(1); - rustsecp256k1zkp_v0_5_0_fe_sqr(&z2, &gej->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&z3, &z2, &gej->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&gej->x, &ge->x, &z2); - rustsecp256k1zkp_v0_5_0_fe_mul(&gej->y, &ge->y, &z3); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z2, &gej->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&z3, &z2, &gej->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&gej->x, &ge->x, &z2); + rustsecp256k1zkp_v0_6_0_fe_mul(&gej->y, &ge->y, &z3); gej->infinity = ge->infinity; } -void random_scalar_order_test(rustsecp256k1zkp_v0_5_0_scalar *num) { +void random_scalar_order_test(rustsecp256k1zkp_v0_6_0_scalar *num) { do { unsigned char b32[32]; int overflow = 0; - rustsecp256k1zkp_v0_5_0_testrand256_test(b32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(num, b32, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(num)) { + rustsecp256k1zkp_v0_6_0_testrand256_test(b32); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(num, b32, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(num)) { continue; } break; } while(1); } -void random_scalar_order(rustsecp256k1zkp_v0_5_0_scalar *num) { +void random_scalar_order(rustsecp256k1zkp_v0_6_0_scalar *num) { do { unsigned char b32[32]; int overflow = 0; - rustsecp256k1zkp_v0_5_0_testrand256(b32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(num, b32, &overflow); - if (overflow || rustsecp256k1zkp_v0_5_0_scalar_is_zero(num)) { + rustsecp256k1zkp_v0_6_0_testrand256(b32); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(num, b32, &overflow); + if (overflow || rustsecp256k1zkp_v0_6_0_scalar_is_zero(num)) { continue; } break; @@ -131,9 +137,9 @@ void random_scalar_order(rustsecp256k1zkp_v0_5_0_scalar *num) { } void random_scalar_order_b32(unsigned char *b32) { - rustsecp256k1zkp_v0_5_0_scalar num; + rustsecp256k1zkp_v0_6_0_scalar num; random_scalar_order(&num); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(b32, &num); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(b32, &num); } void run_util_tests(void) { @@ -142,240 +148,240 @@ void run_util_tests(void) { uint64_t r2; uint64_t r3; int64_t s; - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var(0) == 64); - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var(1) == 63); - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var(2) == 62); - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var(3) == 62); - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var(~0ULL) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var((~0ULL) - 1) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var((~0ULL) >> 1) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var((~0ULL) >> 2) == 2); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, INT64_MAX) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var(0) == 64); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var(1) == 63); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var(2) == 62); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var(3) == 62); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var(~0ULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var((~0ULL) - 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var((~0ULL) >> 1) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var((~0ULL) >> 2) == 2); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, INT64_MAX) == 0); CHECK(r == INT64_MAX); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, INT64_MAX - 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, INT64_MAX - 1) == 0); CHECK(r == INT64_MAX - 1); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, INT64_MIN) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, INT64_MIN) == 1); CHECK(r == (uint64_t)INT64_MAX + 1); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, INT64_MIN + 1) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, INT64_MIN + 1) == 1); CHECK(r == (uint64_t)INT64_MAX); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, 0) == 0); CHECK(r == 0); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, 1) == 0); CHECK(r == 1); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, -1) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, -1) == 1); CHECK(r == 1); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, 2) == 0); CHECK(r == 2); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r, -2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r, -2) == 1); CHECK(r == 2); for (i = 0; i < 10; i++) { - CHECK(rustsecp256k1zkp_v0_5_0_clz64_var((~0ULL) - rustsecp256k1zkp_v0_5_0_testrand32()) == 0); - r = ((uint64_t)rustsecp256k1zkp_v0_5_0_testrand32() << 32) | rustsecp256k1zkp_v0_5_0_testrand32(); - r2 = rustsecp256k1zkp_v0_5_0_testrandi64(0, r); + CHECK(rustsecp256k1zkp_v0_6_0_clz64_var((~0ULL) - rustsecp256k1zkp_v0_6_0_testrand32()) == 0); + r = ((uint64_t)rustsecp256k1zkp_v0_6_0_testrand32() << 32) | rustsecp256k1zkp_v0_6_0_testrand32(); + r2 = rustsecp256k1zkp_v0_6_0_testrandi64(0, r); CHECK(r2 <= r); - r3 = rustsecp256k1zkp_v0_5_0_testrandi64(r2, r); + r3 = rustsecp256k1zkp_v0_6_0_testrandi64(r2, r); CHECK((r3 >= r2) && (r3 <= r)); - r = rustsecp256k1zkp_v0_5_0_testrandi64(0, INT64_MAX); - s = (int64_t)r * (rustsecp256k1zkp_v0_5_0_testrand32()&1?-1:1); - CHECK(rustsecp256k1zkp_v0_5_0_sign_and_abs64(&r2, s) == (s < 0)); + r = rustsecp256k1zkp_v0_6_0_testrandi64(0, INT64_MAX); + s = (int64_t)r * (rustsecp256k1zkp_v0_6_0_testrand32()&1?-1:1); + CHECK(rustsecp256k1zkp_v0_6_0_sign_and_abs64(&r2, s) == (s < 0)); CHECK(r2 == r); } } void run_context_tests(int use_prealloc) { - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_pubkey zero_pubkey; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey zero_pubkey; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; unsigned char ctmp[32]; int32_t ecount; int32_t ecount2; - rustsecp256k1zkp_v0_5_0_context *none; - rustsecp256k1zkp_v0_5_0_context *sign; - rustsecp256k1zkp_v0_5_0_context *vrfy; - rustsecp256k1zkp_v0_5_0_context *both; + rustsecp256k1zkp_v0_6_0_context *none; + rustsecp256k1zkp_v0_6_0_context *sign; + rustsecp256k1zkp_v0_6_0_context *vrfy; + rustsecp256k1zkp_v0_6_0_context *both; void *none_prealloc = NULL; void *sign_prealloc = NULL; void *vrfy_prealloc = NULL; void *both_prealloc = NULL; - rustsecp256k1zkp_v0_5_0_gej pubj; - rustsecp256k1zkp_v0_5_0_ge pub; - rustsecp256k1zkp_v0_5_0_scalar msg, key, nonce; - rustsecp256k1zkp_v0_5_0_scalar sigr, sigs; + rustsecp256k1zkp_v0_6_0_gej pubj; + rustsecp256k1zkp_v0_6_0_ge pub; + rustsecp256k1zkp_v0_6_0_scalar msg, key, nonce; + rustsecp256k1zkp_v0_6_0_scalar sigr, sigs; if (use_prealloc) { - none_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); - sign_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); - vrfy_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); - both_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); + none_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); + sign_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); + vrfy_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); + both_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(none_prealloc != NULL); CHECK(sign_prealloc != NULL); CHECK(vrfy_prealloc != NULL); CHECK(both_prealloc != NULL); - none = rustsecp256k1zkp_v0_5_0_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE); - sign = rustsecp256k1zkp_v0_5_0_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN); - vrfy = rustsecp256k1zkp_v0_5_0_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY); - both = rustsecp256k1zkp_v0_5_0_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + none = rustsecp256k1zkp_v0_6_0_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE); + sign = rustsecp256k1zkp_v0_6_0_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN); + vrfy = rustsecp256k1zkp_v0_6_0_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY); + both = rustsecp256k1zkp_v0_6_0_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); } else { - none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - sign = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN); - vrfy = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_VERIFY); - both = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + sign = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN); + vrfy = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_VERIFY); + both = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); } memset(&zero_pubkey, 0, sizeof(zero_pubkey)); ecount = 0; ecount2 = 10; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2); - /* set error callback (to a function that still aborts in case malloc() fails in rustsecp256k1zkp_v0_5_0_context_clone() below) */ - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn, NULL); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2); + /* set error callback (to a function that still aborts in case malloc() fails in rustsecp256k1zkp_v0_6_0_context_clone() below) */ + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn, NULL); CHECK(sign->error_callback.fn != vrfy->error_callback.fn); - CHECK(sign->error_callback.fn == rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn); + CHECK(sign->error_callback.fn == rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn); /* check if sizes for cloning are consistent */ - CHECK(rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(none) == rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); - CHECK(rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(sign) == rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); - CHECK(rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(vrfy) == rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); - CHECK(rustsecp256k1zkp_v0_5_0_context_preallocated_clone_size(both) == rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); + CHECK(rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(none) == rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); + CHECK(rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(sign) == rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); + CHECK(rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(vrfy) == rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); + CHECK(rustsecp256k1zkp_v0_6_0_context_preallocated_clone_size(both) == rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); /*** clone and destroy all of them to make sure cloning was complete ***/ { - rustsecp256k1zkp_v0_5_0_context *ctx_tmp; + rustsecp256k1zkp_v0_6_0_context *ctx_tmp; if (use_prealloc) { /* clone into a non-preallocated context and then again into a new preallocated one. */ - ctx_tmp = none; none = rustsecp256k1zkp_v0_5_0_context_clone(none); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); - free(none_prealloc); none_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL); - ctx_tmp = none; none = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(none, none_prealloc); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); + ctx_tmp = none; none = rustsecp256k1zkp_v0_6_0_context_clone(none); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); + free(none_prealloc); none_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL); + ctx_tmp = none; none = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(none, none_prealloc); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); - ctx_tmp = sign; sign = rustsecp256k1zkp_v0_5_0_context_clone(sign); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); - free(sign_prealloc); sign_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL); - ctx_tmp = sign; sign = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(sign, sign_prealloc); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); + ctx_tmp = sign; sign = rustsecp256k1zkp_v0_6_0_context_clone(sign); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); + free(sign_prealloc); sign_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL); + ctx_tmp = sign; sign = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(sign, sign_prealloc); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); - ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_5_0_context_clone(vrfy); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); - free(vrfy_prealloc); vrfy_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL); - ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(vrfy, vrfy_prealloc); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); + ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_6_0_context_clone(vrfy); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); + free(vrfy_prealloc); vrfy_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL); + ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(vrfy, vrfy_prealloc); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); - ctx_tmp = both; both = rustsecp256k1zkp_v0_5_0_context_clone(both); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); - free(both_prealloc); both_prealloc = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL); - ctx_tmp = both; both = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(both, both_prealloc); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); + ctx_tmp = both; both = rustsecp256k1zkp_v0_6_0_context_clone(both); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); + free(both_prealloc); both_prealloc = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL); + ctx_tmp = both; both = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(both, both_prealloc); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); } else { /* clone into a preallocated context and then again into a new non-preallocated one. */ void *prealloc_tmp; - prealloc_tmp = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL); - ctx_tmp = none; none = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(none, prealloc_tmp); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); - ctx_tmp = none; none = rustsecp256k1zkp_v0_5_0_context_clone(none); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL); + ctx_tmp = none; none = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(none, prealloc_tmp); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); + ctx_tmp = none; none = rustsecp256k1zkp_v0_6_0_context_clone(none); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); - prealloc_tmp = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL); - ctx_tmp = sign; sign = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(sign, prealloc_tmp); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); - ctx_tmp = sign; sign = rustsecp256k1zkp_v0_5_0_context_clone(sign); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL); + ctx_tmp = sign; sign = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(sign, prealloc_tmp); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); + ctx_tmp = sign; sign = rustsecp256k1zkp_v0_6_0_context_clone(sign); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); - prealloc_tmp = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); - ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(vrfy, prealloc_tmp); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); - ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_5_0_context_clone(vrfy); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); + ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(vrfy, prealloc_tmp); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); + ctx_tmp = vrfy; vrfy = rustsecp256k1zkp_v0_6_0_context_clone(vrfy); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); - prealloc_tmp = malloc(rustsecp256k1zkp_v0_5_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); - ctx_tmp = both; both = rustsecp256k1zkp_v0_5_0_context_preallocated_clone(both, prealloc_tmp); rustsecp256k1zkp_v0_5_0_context_destroy(ctx_tmp); - ctx_tmp = both; both = rustsecp256k1zkp_v0_5_0_context_clone(both); rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1zkp_v0_6_0_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); + ctx_tmp = both; both = rustsecp256k1zkp_v0_6_0_context_preallocated_clone(both, prealloc_tmp); rustsecp256k1zkp_v0_6_0_context_destroy(ctx_tmp); + ctx_tmp = both; both = rustsecp256k1zkp_v0_6_0_context_clone(both); rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); } } /* Verify that the error callback makes it across the clone. */ CHECK(sign->error_callback.fn != vrfy->error_callback.fn); - CHECK(sign->error_callback.fn == rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn); + CHECK(sign->error_callback.fn == rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn); /* And that it resets back to default. */ - rustsecp256k1zkp_v0_5_0_context_set_error_callback(sign, NULL, NULL); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(sign, NULL, NULL); CHECK(vrfy->error_callback.fn == sign->error_callback.fn); /*** attempt to use them ***/ random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pub, &pubj); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pub, &pubj); /* Verify context-type checking illegal-argument errors. */ memset(ctmp, 1, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0); CHECK(ecount == 1); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(sign, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(sign, &pubkey, ctmp) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0); CHECK(ecount == 2); VG_UNDEF(&sig, sizeof(sig)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1); VG_CHECK(&sig, sizeof(sig)); CHECK(ecount2 == 10); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0); CHECK(ecount2 == 11); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0); CHECK(ecount2 == 12); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0); CHECK(ecount2 == 13); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(vrfy, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(vrfy, &pubkey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(sign, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(sign, &pubkey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(sign, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(sign, NULL) == 0); CHECK(ecount2 == 14); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(vrfy, &zero_pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(vrfy, &zero_pubkey) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_context_randomize(vrfy, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_context_randomize(vrfy, ctmp) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_context_randomize(vrfy, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_context_randomize(vrfy, NULL) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_context_randomize(sign, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_context_randomize(sign, ctmp) == 1); CHECK(ecount2 == 14); - CHECK(rustsecp256k1zkp_v0_5_0_context_randomize(sign, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_context_randomize(sign, NULL) == 1); CHECK(ecount2 == 14); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(vrfy, NULL, NULL); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(sign, NULL, NULL); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(vrfy, NULL, NULL); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(sign, NULL, NULL); /* obtain a working nonce */ do { random_scalar_order_test(&nonce); - } while(!rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); + } while(!rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); /* try signing */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); /* try verifying */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg)); /* cleanup */ if (use_prealloc) { - rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(none); - rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(both); + rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(none); + rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(both); free(none_prealloc); free(sign_prealloc); free(vrfy_prealloc); free(both_prealloc); } else { - rustsecp256k1zkp_v0_5_0_context_destroy(none); - rustsecp256k1zkp_v0_5_0_context_destroy(sign); - rustsecp256k1zkp_v0_5_0_context_destroy(vrfy); - rustsecp256k1zkp_v0_5_0_context_destroy(both); + rustsecp256k1zkp_v0_6_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_context_destroy(sign); + rustsecp256k1zkp_v0_6_0_context_destroy(vrfy); + rustsecp256k1zkp_v0_6_0_context_destroy(both); } /* Defined as no-op. */ - rustsecp256k1zkp_v0_5_0_context_destroy(NULL); - rustsecp256k1zkp_v0_5_0_context_preallocated_destroy(NULL); + rustsecp256k1zkp_v0_6_0_context_destroy(NULL); + rustsecp256k1zkp_v0_6_0_context_preallocated_destroy(NULL); } @@ -385,81 +391,100 @@ void run_scratch_tests(void) { int32_t ecount = 0; size_t checkpoint; size_t checkpoint_2; - rustsecp256k1zkp_v0_5_0_context *none = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1zkp_v0_5_0_scratch_space *scratch; - rustsecp256k1zkp_v0_5_0_scratch_space local_scratch; + rustsecp256k1zkp_v0_6_0_context *none = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1zkp_v0_6_0_scratch_space *scratch; + rustsecp256k1zkp_v0_6_0_scratch_space local_scratch; /* Test public API */ - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1zkp_v0_5_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - scratch = rustsecp256k1zkp_v0_5_0_scratch_space_create(none, 1000); + scratch = rustsecp256k1zkp_v0_6_0_scratch_space_create(none, 1000); CHECK(scratch != NULL); CHECK(ecount == 0); /* Test internal API */ - CHECK(rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); CHECK(scratch->alloc_size == 0); CHECK(scratch->alloc_size % ALIGNMENT == 0); /* Allocating 500 bytes succeeds */ - checkpoint = rustsecp256k1zkp_v0_5_0_scratch_checkpoint(&none->error_callback, scratch); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_alloc(&none->error_callback, scratch, 500) != NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); + checkpoint = rustsecp256k1zkp_v0_6_0_scratch_checkpoint(&none->error_callback, scratch); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_alloc(&none->error_callback, scratch, 500) != NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); CHECK(scratch->alloc_size != 0); CHECK(scratch->alloc_size % ALIGNMENT == 0); /* Allocating another 501 bytes fails */ - CHECK(rustsecp256k1zkp_v0_5_0_scratch_alloc(&none->error_callback, scratch, 501) == NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_alloc(&none->error_callback, scratch, 501) == NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); CHECK(scratch->alloc_size != 0); CHECK(scratch->alloc_size % ALIGNMENT == 0); /* ...but it succeeds once we apply the checkpoint to undo it */ - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); CHECK(scratch->alloc_size == 0); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_alloc(&none->error_callback, scratch, 500) != NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_alloc(&none->error_callback, scratch, 500) != NULL); CHECK(scratch->alloc_size != 0); /* try to apply a bad checkpoint */ - checkpoint_2 = rustsecp256k1zkp_v0_5_0_scratch_checkpoint(&none->error_callback, scratch); - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); + checkpoint_2 = rustsecp256k1zkp_v0_6_0_scratch_checkpoint(&none->error_callback, scratch); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); CHECK(ecount == 0); - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */ + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */ CHECK(ecount == 1); - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */ + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */ CHECK(ecount == 2); /* try to use badly initialized scratch space */ - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(none, scratch); + rustsecp256k1zkp_v0_6_0_scratch_space_destroy(none, scratch); memset(&local_scratch, 0, sizeof(local_scratch)); scratch = &local_scratch; - CHECK(!rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, 0)); + CHECK(!rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, 0)); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_scratch_alloc(&none->error_callback, scratch, 500) == NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_alloc(&none->error_callback, scratch, 500) == NULL); CHECK(ecount == 4); - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(none, scratch); + rustsecp256k1zkp_v0_6_0_scratch_space_destroy(none, scratch); CHECK(ecount == 5); /* Test that large integers do not wrap around in a bad way */ - scratch = rustsecp256k1zkp_v0_5_0_scratch_space_create(none, 1000); + scratch = rustsecp256k1zkp_v0_6_0_scratch_space_create(none, 1000); /* Try max allocation with a large number of objects. Only makes sense if * ALIGNMENT is greater than 1 because otherwise the objects take no extra * space. */ - CHECK(ALIGNMENT <= 1 || !rustsecp256k1zkp_v0_5_0_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1)); + CHECK(ALIGNMENT <= 1 || !rustsecp256k1zkp_v0_6_0_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1)); /* Try allocating SIZE_MAX to test wrap around which only happens if * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch * space is too small. */ - CHECK(rustsecp256k1zkp_v0_5_0_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL); - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(none, scratch); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL); + rustsecp256k1zkp_v0_6_0_scratch_space_destroy(none, scratch); /* cleanup */ - rustsecp256k1zkp_v0_5_0_scratch_space_destroy(none, NULL); /* no-op */ - rustsecp256k1zkp_v0_5_0_context_destroy(none); + rustsecp256k1zkp_v0_6_0_scratch_space_destroy(none, NULL); /* no-op */ + rustsecp256k1zkp_v0_6_0_context_destroy(none); +} + +void run_ctz_tests(void) { + static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129}; + static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef}; + int shift; + unsigned i; + for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) { + for (shift = 0; shift < 32; ++shift) { + CHECK(rustsecp256k1zkp_v0_6_0_ctz32_var_debruijn(b32[i] << shift) == shift); + CHECK(rustsecp256k1zkp_v0_6_0_ctz32_var(b32[i] << shift) == shift); + } + } + for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) { + for (shift = 0; shift < 64; ++shift) { + CHECK(rustsecp256k1zkp_v0_6_0_ctz64_var_debruijn(b64[i] << shift) == shift); + CHECK(rustsecp256k1zkp_v0_6_0_ctz64_var(b64[i] << shift) == shift); + } + } } /***** HASH TESTS *****/ @@ -484,18 +509,18 @@ void run_sha256_tests(void) { int i; for (i = 0; i < 8; i++) { unsigned char out[32]; - rustsecp256k1zkp_v0_5_0_sha256 hasher; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&hasher); - rustsecp256k1zkp_v0_5_0_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&hasher, out); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(out, outputs[i], 32) == 0); + rustsecp256k1zkp_v0_6_0_sha256 hasher; + rustsecp256k1zkp_v0_6_0_sha256_initialize(&hasher); + rustsecp256k1zkp_v0_6_0_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&hasher, out); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(out, outputs[i], 32) == 0); if (strlen(inputs[i]) > 0) { - int split = rustsecp256k1zkp_v0_5_0_testrand_int(strlen(inputs[i])); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&hasher); - rustsecp256k1zkp_v0_5_0_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); - rustsecp256k1zkp_v0_5_0_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); - rustsecp256k1zkp_v0_5_0_sha256_finalize(&hasher, out); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(out, outputs[i], 32) == 0); + int split = rustsecp256k1zkp_v0_6_0_testrand_int(strlen(inputs[i])); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&hasher); + rustsecp256k1zkp_v0_6_0_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); + rustsecp256k1zkp_v0_6_0_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); + rustsecp256k1zkp_v0_6_0_sha256_finalize(&hasher, out); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(out, outputs[i], 32) == 0); } } } @@ -527,19 +552,19 @@ void run_hmac_sha256_tests(void) { }; int i; for (i = 0; i < 6; i++) { - rustsecp256k1zkp_v0_5_0_hmac_sha256 hasher; + rustsecp256k1zkp_v0_6_0_hmac_sha256 hasher; unsigned char out[32]; - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hasher, out); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(out, outputs[i], 32) == 0); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hasher, out); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(out, outputs[i], 32) == 0); if (strlen(inputs[i]) > 0) { - int split = rustsecp256k1zkp_v0_5_0_testrand_int(strlen(inputs[i])); - rustsecp256k1zkp_v0_5_0_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); - rustsecp256k1zkp_v0_5_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); - rustsecp256k1zkp_v0_5_0_hmac_sha256_finalize(&hasher, out); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(out, outputs[i], 32) == 0); + int split = rustsecp256k1zkp_v0_6_0_testrand_int(strlen(inputs[i])); + rustsecp256k1zkp_v0_6_0_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); + rustsecp256k1zkp_v0_6_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); + rustsecp256k1zkp_v0_6_0_hmac_sha256_finalize(&hasher, out); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(out, outputs[i], 32) == 0); } } } @@ -559,30 +584,30 @@ void run_rfc6979_hmac_sha256_tests(void) { {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} }; - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256 rng; + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256 rng; unsigned char out[32]; int i; - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, key1, 64); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, key1, 64); for (i = 0; i < 3; i++) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, out, 32); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(out, out1[i], 32) == 0); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, out, 32); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(out, out1[i], 32) == 0); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(&rng); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, key1, 65); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, key1, 65); for (i = 0; i < 3; i++) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, out, 32); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(out, out1[i], 32) != 0); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, out, 32); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(out, out1[i], 32) != 0); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(&rng); - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_initialize(&rng, key2, 64); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_initialize(&rng, key2, 64); for (i = 0; i < 3; i++) { - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_generate(&rng, out, 32); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(out, out2[i], 32) == 0); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_generate(&rng, out, 32); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(out, out2[i], 32) == 0); } - rustsecp256k1zkp_v0_5_0_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1zkp_v0_6_0_rfc6979_hmac_sha256_finalize(&rng); } /***** RANDOM TESTS *****/ @@ -604,7 +629,7 @@ void test_rand_bits(int rand32, int bits) { /* Multiply the output of all rand calls with the odd number m, which should not change the uniformity of its distribution. */ for (i = 0; i < rounds[usebits]; i++) { - uint32_t r = (rand32 ? rustsecp256k1zkp_v0_5_0_testrand32() : rustsecp256k1zkp_v0_5_0_testrand_bits(bits)); + uint32_t r = (rand32 ? rustsecp256k1zkp_v0_6_0_testrand32() : rustsecp256k1zkp_v0_6_0_testrand_bits(bits)); CHECK((((uint64_t)r) >> bits) == 0); for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) { uint32_t rm = r * mults[m]; @@ -629,7 +654,7 @@ void test_rand_int(uint32_t range, uint32_t subrange) { uint64_t x = 0; CHECK((range % subrange) == 0); for (i = 0; i < rounds; i++) { - uint32_t r = rustsecp256k1zkp_v0_5_0_testrand_int(range); + uint32_t r = rustsecp256k1zkp_v0_6_0_testrand_int(range); CHECK(r < range); r = r % subrange; x |= (((uint64_t)1) << r); @@ -657,202 +682,924 @@ void run_rand_int(void) { } } -/***** NUM TESTS *****/ +/***** MODINV TESTS *****/ + +/* Compute the modular inverse of (odd) x mod 2^64. */ +uint64_t modinv2p64(uint64_t x) { + /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See + * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for + * why. Start with L=0, for which it is true for every odd x that + * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */ + int l; + uint64_t w = 1; + CHECK(x & 1); + for (l = 0; l < 6; ++l) w *= (2 - w*x); + return w; +} + +/* compute out = (a*b) mod m; if b=NULL, treat b=1. + * + * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other + * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */ +void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) { + uint16_t mul[32]; + uint64_t c = 0; + int i, j; + int m_bitlen = 0; + int mul_bitlen = 0; + + if (b != NULL) { + /* Compute the product of a and b, and put it in mul. */ + for (i = 0; i < 32; ++i) { + for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) { + c += (uint64_t)a[j] * b[i - j]; + } + mul[i] = c & 0xFFFF; + c >>= 16; + } + CHECK(c == 0); + + /* compute the highest set bit in mul */ + for (i = 511; i >= 0; --i) { + if ((mul[i >> 4] >> (i & 15)) & 1) { + mul_bitlen = i; + break; + } + } + } else { + /* if b==NULL, set mul=a. */ + memcpy(mul, a, 32); + memset(mul + 16, 0, 32); + /* compute the highest set bit in mul */ + for (i = 255; i >= 0; --i) { + if ((mul[i >> 4] >> (i & 15)) & 1) { + mul_bitlen = i; + break; + } + } + } -#ifndef USE_NUM_NONE -void random_num_negate(rustsecp256k1zkp_v0_5_0_num *num) { - if (rustsecp256k1zkp_v0_5_0_testrand_bits(1)) { - rustsecp256k1zkp_v0_5_0_num_negate(num); + /* Compute the highest set bit in m. */ + for (i = 255; i >= 0; --i) { + if ((m[i >> 4] >> (i & 15)) & 1) { + m_bitlen = i; + break; + } } + + /* Try do mul -= m<= 0; --i) { + uint16_t mul2[32]; + int64_t cs; + + /* Compute mul2 = mul - m<= 0 && bitpos < 256) { + sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p; + } + } + /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */ + cs += mul[j]; + cs -= sub; + mul2[j] = (cs & 0xFFFF); + cs >>= 16; + } + /* If remainder of subtraction is 0, set mul = mul2. */ + if (cs == 0) { + memcpy(mul, mul2, sizeof(mul)); + } + } + /* Sanity check: test that all limbs higher than m's highest are zero */ + for (i = (m_bitlen >> 4) + 1; i < 32; ++i) { + CHECK(mul[i] == 0); + } + memcpy(out, mul, 32); } -void random_num_order_test(rustsecp256k1zkp_v0_5_0_num *num) { - rustsecp256k1zkp_v0_5_0_scalar sc; - random_scalar_order_test(&sc); - rustsecp256k1zkp_v0_5_0_scalar_get_num(num, &sc); +/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */ +void uint16_to_signed30(rustsecp256k1zkp_v0_6_0_modinv32_signed30* out, const uint16_t* in) { + int i; + memset(out->v, 0, sizeof(out->v)); + for (i = 0; i < 256; ++i) { + out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30); + } } -void random_num_order(rustsecp256k1zkp_v0_5_0_num *num) { - rustsecp256k1zkp_v0_5_0_scalar sc; - random_scalar_order(&sc); - rustsecp256k1zkp_v0_5_0_scalar_get_num(num, &sc); -} - -void test_num_negate(void) { - rustsecp256k1zkp_v0_5_0_num n1; - rustsecp256k1zkp_v0_5_0_num n2; - random_num_order_test(&n1); /* n1 = R */ - random_num_negate(&n1); - rustsecp256k1zkp_v0_5_0_num_copy(&n2, &n1); /* n2 = R */ - rustsecp256k1zkp_v0_5_0_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */ - CHECK(rustsecp256k1zkp_v0_5_0_num_is_zero(&n1)); - rustsecp256k1zkp_v0_5_0_num_copy(&n1, &n2); /* n1 = R */ - rustsecp256k1zkp_v0_5_0_num_negate(&n1); /* n1 = -R */ - CHECK(!rustsecp256k1zkp_v0_5_0_num_is_zero(&n1)); - rustsecp256k1zkp_v0_5_0_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */ - CHECK(rustsecp256k1zkp_v0_5_0_num_is_zero(&n1)); - rustsecp256k1zkp_v0_5_0_num_copy(&n1, &n2); /* n1 = R */ - rustsecp256k1zkp_v0_5_0_num_negate(&n1); /* n1 = -R */ - CHECK(rustsecp256k1zkp_v0_5_0_num_is_neg(&n1) != rustsecp256k1zkp_v0_5_0_num_is_neg(&n2)); - rustsecp256k1zkp_v0_5_0_num_negate(&n1); /* n1 = R */ - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&n1, &n2)); -} - -void test_num_add_sub(void) { +/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */ +void signed30_to_uint16(uint16_t* out, const rustsecp256k1zkp_v0_6_0_modinv32_signed30* in) { int i; - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_num n1; - rustsecp256k1zkp_v0_5_0_num n2; - rustsecp256k1zkp_v0_5_0_num n1p2, n2p1, n1m2, n2m1; - random_num_order_test(&n1); /* n1 = R1 */ - if (rustsecp256k1zkp_v0_5_0_testrand_bits(1)) { - random_num_negate(&n1); - } - random_num_order_test(&n2); /* n2 = R2 */ - if (rustsecp256k1zkp_v0_5_0_testrand_bits(1)) { - random_num_negate(&n2); - } - rustsecp256k1zkp_v0_5_0_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */ - rustsecp256k1zkp_v0_5_0_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */ - rustsecp256k1zkp_v0_5_0_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */ - rustsecp256k1zkp_v0_5_0_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */ - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&n1p2, &n2p1)); - CHECK(!rustsecp256k1zkp_v0_5_0_num_eq(&n1p2, &n1m2)); - rustsecp256k1zkp_v0_5_0_num_negate(&n2m1); /* n2m1 = -R2 + R1 */ - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&n2m1, &n1m2)); - CHECK(!rustsecp256k1zkp_v0_5_0_num_eq(&n2m1, &n1)); - rustsecp256k1zkp_v0_5_0_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */ - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&n2m1, &n1)); - CHECK(!rustsecp256k1zkp_v0_5_0_num_eq(&n2p1, &n1)); - rustsecp256k1zkp_v0_5_0_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */ - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&n2p1, &n1)); - - /* check is_one */ - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s, 1); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n1, &s); - CHECK(rustsecp256k1zkp_v0_5_0_num_is_one(&n1)); - /* check that 2^n + 1 is never 1 */ - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n2, &s); - for (i = 0; i < 250; ++i) { - rustsecp256k1zkp_v0_5_0_num_add(&n1, &n1, &n1); /* n1 *= 2 */ - rustsecp256k1zkp_v0_5_0_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */ - CHECK(!rustsecp256k1zkp_v0_5_0_num_is_one(&n1p2)); - } -} - -void test_num_mod(void) { + memset(out, 0, 32); + for (i = 0; i < 256; ++i) { + out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15); + } +} + +/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */ +void mutate_sign_signed30(rustsecp256k1zkp_v0_6_0_modinv32_signed30* x) { int i; - rustsecp256k1zkp_v0_5_0_scalar s; - rustsecp256k1zkp_v0_5_0_num order, n; + for (i = 0; i < 16; ++i) { + int pos = rustsecp256k1zkp_v0_6_0_testrand_int(8); + if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) { + x->v[pos] -= 0x40000000; + x->v[pos + 1] += 1; + } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) { + x->v[pos] += 0x40000000; + x->v[pos + 1] -= 1; + } + } +} - /* check that 0 mod anything is 0 */ - random_scalar_order_test(&s); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&order, &s); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s, 0); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &s); - rustsecp256k1zkp_v0_5_0_num_mod(&n, &order); - CHECK(rustsecp256k1zkp_v0_5_0_num_is_zero(&n)); - - /* check that anything mod 1 is 0 */ - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s, 1); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&order, &s); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &s); - rustsecp256k1zkp_v0_5_0_num_mod(&n, &order); - CHECK(rustsecp256k1zkp_v0_5_0_num_is_zero(&n)); - - /* check that increasing the number past 2^256 does not break this */ - random_scalar_order_test(&s); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &s); - /* multiply by 2^8, which'll test this case with high probability */ - for (i = 0; i < 8; ++i) { - rustsecp256k1zkp_v0_5_0_num_add(&n, &n, &n); +/* Test rustsecp256k1zkp_v0_6_0_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */ +void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { + uint16_t tmp[16]; + rustsecp256k1zkp_v0_6_0_modinv32_signed30 x; + rustsecp256k1zkp_v0_6_0_modinv32_modinfo m; + int i, vartime, nonzero; + + uint16_to_signed30(&x, in); + nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0; + uint16_to_signed30(&m.modulus, mod); + mutate_sign_signed30(&m.modulus); + + /* compute 1/modulus mod 2^30 */ + m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff; + CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1); + + for (vartime = 0; vartime < 2; ++vartime) { + /* compute inverse */ + (vartime ? rustsecp256k1zkp_v0_6_0_modinv32_var : rustsecp256k1zkp_v0_6_0_modinv32)(&x, &m); + + /* produce output */ + signed30_to_uint16(out, &x); + + /* check if the inverse times the input is 1 (mod m), unless x is 0. */ + mulmod256(tmp, out, in, mod); + CHECK(tmp[0] == nonzero); + for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); + + /* invert again */ + (vartime ? rustsecp256k1zkp_v0_6_0_modinv32_var : rustsecp256k1zkp_v0_6_0_modinv32)(&x, &m); + + /* check if the result is equal to the input */ + signed30_to_uint16(tmp, &x); + for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); } - rustsecp256k1zkp_v0_5_0_num_mod(&n, &order); - CHECK(rustsecp256k1zkp_v0_5_0_num_is_zero(&n)); } -void test_num_jacobi(void) { - rustsecp256k1zkp_v0_5_0_scalar sqr; - rustsecp256k1zkp_v0_5_0_scalar small; - rustsecp256k1zkp_v0_5_0_scalar five; /* five is not a quadratic residue */ - rustsecp256k1zkp_v0_5_0_num order, n; +#ifdef SECP256K1_WIDEMUL_INT128 +/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */ +void uint16_to_signed62(rustsecp256k1zkp_v0_6_0_modinv64_signed62* out, const uint16_t* in) { int i; - /* squares mod 5 are 1, 4 */ - const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 }; + memset(out->v, 0, sizeof(out->v)); + for (i = 0; i < 256; ++i) { + out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62); + } +} - /* check some small values with 5 as the order */ - rustsecp256k1zkp_v0_5_0_scalar_set_int(&five, 5); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&order, &five); - for (i = 0; i < 10; ++i) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&small, i); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &small); - CHECK(rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &order) == jacobi5[i]); +/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */ +void signed62_to_uint16(uint16_t* out, const rustsecp256k1zkp_v0_6_0_modinv64_signed62* in) { + int i; + memset(out, 0, 32); + for (i = 0; i < 256; ++i) { + out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15); } +} - /** test large values with 5 as group order */ - rustsecp256k1zkp_v0_5_0_scalar_get_num(&order, &five); - /* we first need a scalar which is not a multiple of 5 */ - do { - rustsecp256k1zkp_v0_5_0_num fiven; - random_scalar_order_test(&sqr); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&fiven, &five); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &sqr); - rustsecp256k1zkp_v0_5_0_num_mod(&n, &fiven); - } while (rustsecp256k1zkp_v0_5_0_num_is_zero(&n)); - /* next force it to be a residue. 2 is a nonresidue mod 5 so we can - * just multiply by two, i.e. add the number to itself */ - if (rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &order) == -1) { - rustsecp256k1zkp_v0_5_0_num_add(&n, &n, &n); - } - - /* test residue */ - CHECK(rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &order) == 1); - /* test nonresidue */ - rustsecp256k1zkp_v0_5_0_num_add(&n, &n, &n); - CHECK(rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &order) == -1); - - /** test with secp group order as order */ - rustsecp256k1zkp_v0_5_0_scalar_order_get_num(&order); - random_scalar_order_test(&sqr); - rustsecp256k1zkp_v0_5_0_scalar_sqr(&sqr, &sqr); - /* test residue */ - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &sqr); - CHECK(rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &order) == 1); - /* test nonresidue */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&sqr, &sqr, &five); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &sqr); - CHECK(rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &order) == -1); - /* test multiple of the order*/ - CHECK(rustsecp256k1zkp_v0_5_0_num_jacobi(&order, &order) == 0); - - /* check one less than the order */ - rustsecp256k1zkp_v0_5_0_scalar_set_int(&small, 1); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&n, &small); - rustsecp256k1zkp_v0_5_0_num_sub(&n, &order, &n); - CHECK(rustsecp256k1zkp_v0_5_0_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */ -} - -void run_num_smalltests(void) { +/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */ +void mutate_sign_signed62(rustsecp256k1zkp_v0_6_0_modinv64_signed62* x) { + static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); int i; - for (i = 0; i < 100*count; i++) { - test_num_negate(); - test_num_add_sub(); - test_num_mod(); - test_num_jacobi(); + for (i = 0; i < 8; ++i) { + int pos = rustsecp256k1zkp_v0_6_0_testrand_int(4); + if (x->v[pos] > 0 && x->v[pos + 1] <= M62) { + x->v[pos] -= (M62 + 1); + x->v[pos + 1] += 1; + } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) { + x->v[pos] += (M62 + 1); + x->v[pos + 1] -= 1; + } + } +} + +/* Test rustsecp256k1zkp_v0_6_0_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */ +void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { + static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); + uint16_t tmp[16]; + rustsecp256k1zkp_v0_6_0_modinv64_signed62 x; + rustsecp256k1zkp_v0_6_0_modinv64_modinfo m; + int i, vartime, nonzero; + + uint16_to_signed62(&x, in); + nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0; + uint16_to_signed62(&m.modulus, mod); + mutate_sign_signed62(&m.modulus); + + /* compute 1/modulus mod 2^62 */ + m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62; + CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1); + + for (vartime = 0; vartime < 2; ++vartime) { + /* compute inverse */ + (vartime ? rustsecp256k1zkp_v0_6_0_modinv64_var : rustsecp256k1zkp_v0_6_0_modinv64)(&x, &m); + + /* produce output */ + signed62_to_uint16(out, &x); + + /* check if the inverse times the input is 1 (mod m), unless x is 0. */ + mulmod256(tmp, out, in, mod); + CHECK(tmp[0] == nonzero); + for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); + + /* invert again */ + (vartime ? rustsecp256k1zkp_v0_6_0_modinv64_var : rustsecp256k1zkp_v0_6_0_modinv64)(&x, &m); + + /* check if the result is equal to the input */ + signed62_to_uint16(tmp, &x); + for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); } } #endif +/* test if a and b are coprime */ +int coprime(const uint16_t* a, const uint16_t* b) { + uint16_t x[16], y[16], t[16]; + int i; + int iszero; + memcpy(x, a, 32); + memcpy(y, b, 32); + + /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */ + while (1) { + iszero = 1; + for (i = 0; i < 16; ++i) { + if (x[i] != 0) { + iszero = 0; + break; + } + } + if (iszero) break; + mulmod256(t, y, NULL, x); + memcpy(y, x, 32); + memcpy(x, t, 32); + } + + /* return whether y=1 */ + if (y[0] != 1) return 0; + for (i = 1; i < 16; ++i) { + if (y[i] != 0) return 0; + } + return 1; +} + +void run_modinv_tests(void) { + /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */ + static const uint16_t CASES[][3][16] = { + /* Test cases triggering edge cases in divsteps */ + + /* Test case known to need 713 divsteps */ + {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477, + 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e}, + {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54, + 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b}, + {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab, + 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}}, + /* Test case known to need 589 divsteps, reaching delta=-140 and + delta=141. */ + {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9, + 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c}, + {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da, + 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3}, + {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0, + 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}}, + /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */ + {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94, + 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040}, + {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d, + 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3}, + {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005, + 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}}, + /* example needing 713 divsteps; delta=-2..3 */ + {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9, + 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d}, + {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772, + 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298}, + {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797, + 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}}, + /* example needing 713 divsteps; delta=-2..3 */ + {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850, + 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78}, + {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c, + 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2}, + {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358, + 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}}, + /* example needing 713 divsteps; delta=-2..3 */ + {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9, + 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc}, + {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e, + 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29}, + {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da, + 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}}, + /* example reaching delta=-64..65; 661 divsteps */ + {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2, + 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530}, + {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16, + 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598}, + {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f, + 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}}, + /* example reaching delta=-64..65; 661 divsteps */ + {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717, + 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a}, + {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94, + 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108}, + {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187, + 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}}, + /* example reaching delta=-64..65; 661 divsteps */ + {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb, + 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a}, + {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6, + 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230}, + {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb, + 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}}, + /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */ + {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee, + 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc}, + {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005, + 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67}, + {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572, + 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}}, + /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ + {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185, + 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d}, + {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde, + 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5}, + {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0, + 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}}, + /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ + {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7, + 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50}, + {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a, + 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24}, + {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb, + 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}}, + /* example doing 446 (f,g/2) steps; 523 divsteps */ + {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf, + 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a}, + {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f, + 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32}, + {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c, + 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}}, + /* example doing 446 (f,g/2) steps; 523 divsteps */ + {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd, + 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7}, + {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283, + 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087}, + {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8, + 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}}, + /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */ + {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878, + 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5}, + {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703, + 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b}, + {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d, + 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}}, + /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */ + {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836, + 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c}, + {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6, + 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62}, + {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344, + 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}}, + /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */ + {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5, + 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5}, + {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153, + 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032}, + {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2, + 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}}, + /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */ + {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c, + 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f}, + {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717, + 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b}, + {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951, + 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}}, + + /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */ + + /* example needing 590 divsteps; delta=-5/2..7/2 */ + {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a, + 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e}, + {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0, + 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8}, + {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54, + 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}}, + /* example needing 590 divsteps; delta=-3/2..5/2 */ + {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e, + 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d}, + {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a, + 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7}, + {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451, + 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}}, + /* example needing 590 divsteps; delta=-3/2..5/2 */ + {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11, + 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40}, + {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805, + 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9}, + {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7, + 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}}, + /* example needing 590 divsteps; delta=-5/2..7/2 */ + {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce, + 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1}, + {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba, + 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5}, + {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c, + 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}}, + /* example needing 590 divsteps; delta=-3/2..5/2 */ + {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7, + 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82}, + {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712, + 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89}, + {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919, + 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}}, + /* example reaching delta=-127/2..129/2; 571 divsteps */ + {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681, + 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56}, + {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868, + 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f}, + {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db, + 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}}, + /* example reaching delta=-127/2..129/2; 571 divsteps */ + {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7, + 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c}, + {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1, + 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36}, + {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074, + 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}}, + /* example reaching delta=-127/2..129/2; 571 divsteps */ + {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d, + 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56}, + {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669, + 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f}, + {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0, + 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}}, + /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ + {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a, + 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14}, + {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae, + 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943}, + {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa, + 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}}, + /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ + {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8, + 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4}, + {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332, + 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4}, + {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9, + 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}}, + /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ + {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982, + 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14}, + {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d, + 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943}, + {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495, + 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}}, + /* example doing 453 (f,g/2) steps; 514 divsteps */ + {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae, + 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448}, + {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089, + 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7}, + {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241, + 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}}, + /* example doing 453 (f,g/2) steps; 514 divsteps */ + {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1, + 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2}, + {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5, + 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823}, + {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159, + 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}}, + /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ + {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877, + 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19}, + {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49, + 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9}, + {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e, + 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}}, + /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ + {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3, + 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b}, + {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4, + 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf}, + {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042, + 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}}, + /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */ + {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6, + 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42}, + {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936, + 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305}, + {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a, + 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}}, + /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */ + {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52, + 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359}, + {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a, + 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f}, + {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9, + 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}}, + + /* Test cases with the group order as modulus. */ + + /* Test case with the group order as modulus, needing 635 divsteps. */ + {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120, + 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc, + 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}}, + /* example with group size as modulus needing 631 divsteps */ + {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7, + 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb, + 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}}, + /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */ + {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce, + 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32, + 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}}, + /* Test case with the group size as modulus, needing 981 divsteps with + broken eta handling. */ + {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae, + 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126, + 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}}, + /* Test case with the group size as modulus, input = 0. */ + {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, + /* Test case with the group size as modulus, input = 1. */ + {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, + /* Test case with the group size as modulus, input = 2. */ + {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, + /* Test case with the group size as modulus, input = group - 1. */ + {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, + 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, + + /* Test cases with the field size as modulus. */ + + /* Test case with the field size as modulus, needing 637 divsteps. */ + {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688, + 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701, + 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}}, + /* example with field size as modulus needing 637 divsteps */ + {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff, + 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce, + 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}}, + /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */ + {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e, + 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291, + 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}}, + /* Test case with the field size as modulus, needing 935 divsteps with + broken eta handling. */ + {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8, + 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed, + 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}}, + /* Test case with the field size as modulus, input = 0. */ + {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, + /* Test case with the field size as modulus, input = 1. */ + {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, + /* Test case with the field size as modulus, input = 2. */ + {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, + /* Test case with the field size as modulus, input = field - 1. */ + {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, + {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, + 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, + + /* Selected from a large number of random inputs to reach small/large + * d/e values in various configurations. */ + {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70, + 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30}, + {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8, + 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff}, + {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842, + 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}}, + {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98, + 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e}, + {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43, + 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6}, + {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae, + 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}}, + {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5, + 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac}, + {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969, + 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb}, + {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512, + 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}}, + {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c, + 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8}, + {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702, + 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2}, + {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce, + 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}}, + {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737, + 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4}, + {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4, + 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff}, + {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33, + 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}}, + {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb, + 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97}, + {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311, + 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640}, + {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7, + 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}}, + {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd, + 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576}, + {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621, + 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64}, + {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821, + 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}}, + {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89, + 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e}, + {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa, + 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5}, + {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0, + 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}}, + {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3, + 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c}, + {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd, + 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff}, + {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c, + 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}}, + {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f, + 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a}, + {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b, + 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff}, + {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf, + 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}}, + {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49, + 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe}, + {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8, + 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff}, + {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac, + 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}}, + {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e, + 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e}, + {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba, + 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77}, + {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569, + 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}}, + {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611, + 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d}, + {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a, + 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff}, + {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376, + 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}}, + {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b, + 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4}, + {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016, + 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff}, + {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f, + 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}}, + {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7, + 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8}, + {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104, + 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff}, + {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405, + 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}}, + {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033, + 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914}, + {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346, + 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3}, + {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c, + 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}}, + {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c, + 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025}, + {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb, + 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93}, + {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744, + 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}}, + {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904, + 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94}, + {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94, + 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b}, + {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e, + 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}}, + {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4, + 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f}, + {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550, + 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97}, + {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618, + 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}}, + {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7, + 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166}, + {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54, + 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa}, + {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5, + 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}}, + {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a, + 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1}, + {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328, + 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb}, + {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857, + 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}}, + {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413, + 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3}, + {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92, + 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c}, + {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f, + 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}}, + {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe, + 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d}, + {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e, + 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb}, + {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424, + 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}}, + {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56, + 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428}, + {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998, + 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff}, + {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8, + 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}}, + {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9, + 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d}, + {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e, + 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a}, + {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614, + 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}}, + {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7, + 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067}, + {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b, + 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185}, + {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42, + 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}}, + {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74, + 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4}, + {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781, + 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351}, + {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65, + 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}}, + {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced, + 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79}, + {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c, + 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0}, + {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145, + 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}}, + {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a, + 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096}, + {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf, + 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628}, + {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da, + 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}}, + {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91, + 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4}, + {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5, + 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad}, + {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41, + 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}}, + {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224, + 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000}, + {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183, + 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000}, + {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3, + 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}}, + {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b, + 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f}, + {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35, + 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb}, + {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3, + 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}}, + {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995, + 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c}, + {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60, + 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb}, + {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134, + 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}}, + {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6, + 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097}, + {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40, + 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0}, + {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0, + 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}}, + {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82, + 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14}, + {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee, + 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80}, + {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051, + 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}} + }; + + int i, j, ok; + + /* Test known inputs/outputs */ + for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) { + uint16_t out[16]; + test_modinv32_uint16(out, CASES[i][0], CASES[i][1]); + for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); +#ifdef SECP256K1_WIDEMUL_INT128 + test_modinv64_uint16(out, CASES[i][0], CASES[i][1]); + for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); +#endif + } + + for (i = 0; i < 100 * count; ++i) { + /* 256-bit numbers in 16-uint16_t's notation */ + static const uint16_t ZERO[16] = {0}; + uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */ + uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */ + uint16_t id[16]; /* the inverse of xd mod md */ + + /* generate random xd and md, so that md is odd, md>1, xd 256) { now = 256 - i; } - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t, rustsecp256k1zkp_v0_5_0_scalar_get_bits_var(&s, 256 - now - i, now)); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t, rustsecp256k1zkp_v0_6_0_scalar_get_bits_var(&s, 256 - now - i, now)); for (j = 0; j < now; j++) { - rustsecp256k1zkp_v0_5_0_scalar_add(&n, &n, &n); + rustsecp256k1zkp_v0_6_0_scalar_add(&n, &n, &n); } - rustsecp256k1zkp_v0_5_0_scalar_add(&n, &n, &t); + rustsecp256k1zkp_v0_6_0_scalar_add(&n, &n, &t); i += now; } - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&n, &s)); - } - -#ifndef USE_NUM_NONE - { - /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */ - rustsecp256k1zkp_v0_5_0_num rnum; - rustsecp256k1zkp_v0_5_0_num r2num; - rustsecp256k1zkp_v0_5_0_scalar r; - rustsecp256k1zkp_v0_5_0_num_add(&rnum, &snum, &s2num); - rustsecp256k1zkp_v0_5_0_num_mod(&rnum, &order); - rustsecp256k1zkp_v0_5_0_scalar_add(&r, &s, &s2); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&r2num, &r); - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&rnum, &r2num)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&n, &s)); } { - /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */ - rustsecp256k1zkp_v0_5_0_scalar r; - rustsecp256k1zkp_v0_5_0_num r2num; - rustsecp256k1zkp_v0_5_0_num rnum; - rustsecp256k1zkp_v0_5_0_num_mul(&rnum, &snum, &s2num); - rustsecp256k1zkp_v0_5_0_num_mod(&rnum, &order); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r, &s, &s2); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&r2num, &r); - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&rnum, &r2num)); - /* The result can only be zero if at least one of the factors was zero. */ - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&r) == (rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s) || rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s2))); - /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */ - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&rnum, &snum) == (rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s) || rustsecp256k1zkp_v0_5_0_scalar_is_one(&s2))); - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&rnum, &s2num) == (rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s2) || rustsecp256k1zkp_v0_5_0_scalar_is_one(&s))); - } - - { - rustsecp256k1zkp_v0_5_0_scalar neg; - rustsecp256k1zkp_v0_5_0_num negnum; - rustsecp256k1zkp_v0_5_0_num negnum2; - /* Check that comparison with zero matches comparison with zero on the number. */ - CHECK(rustsecp256k1zkp_v0_5_0_num_is_zero(&snum) == rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s)); - /* Check that comparison with the half order is equal to testing for high scalar. */ - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_high(&s) == (rustsecp256k1zkp_v0_5_0_num_cmp(&snum, &half_order) > 0)); - rustsecp256k1zkp_v0_5_0_scalar_negate(&neg, &s); - rustsecp256k1zkp_v0_5_0_num_sub(&negnum, &order, &snum); - rustsecp256k1zkp_v0_5_0_num_mod(&negnum, &order); - /* Check that comparison with the half order is equal to testing for high scalar after negation. */ - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_high(&neg) == (rustsecp256k1zkp_v0_5_0_num_cmp(&negnum, &half_order) > 0)); - /* Negating should change the high property, unless the value was already zero. */ - CHECK((rustsecp256k1zkp_v0_5_0_scalar_is_high(&s) == rustsecp256k1zkp_v0_5_0_scalar_is_high(&neg)) == rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s)); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&negnum2, &neg); - /* Negating a scalar should be equal to (order - n) mod order on the number. */ - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&negnum, &negnum2)); - rustsecp256k1zkp_v0_5_0_scalar_add(&neg, &neg, &s); - /* Adding a number to its negation should result in zero. */ - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&neg)); - rustsecp256k1zkp_v0_5_0_scalar_negate(&neg, &neg); - /* Negating zero should still result in zero. */ - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&neg)); - } - - { - /* Test rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var. */ - rustsecp256k1zkp_v0_5_0_scalar r; - rustsecp256k1zkp_v0_5_0_num one; - rustsecp256k1zkp_v0_5_0_num rnum; - rustsecp256k1zkp_v0_5_0_num rnum2; - unsigned char cone[1] = {0x01}; - unsigned int shift = 256 + rustsecp256k1zkp_v0_5_0_testrand_int(257); - rustsecp256k1zkp_v0_5_0_scalar_mul_shift_var(&r, &s1, &s2, shift); - rustsecp256k1zkp_v0_5_0_num_mul(&rnum, &s1num, &s2num); - rustsecp256k1zkp_v0_5_0_num_shift(&rnum, shift - 1); - rustsecp256k1zkp_v0_5_0_num_set_bin(&one, cone, 1); - rustsecp256k1zkp_v0_5_0_num_add(&rnum, &rnum, &one); - rustsecp256k1zkp_v0_5_0_num_shift(&rnum, 1); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&rnum2, &r); - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&rnum, &rnum2)); - } - - { - /* test rustsecp256k1zkp_v0_5_0_scalar_shr_int */ - rustsecp256k1zkp_v0_5_0_scalar r; + /* test rustsecp256k1zkp_v0_6_0_scalar_shr_int */ + rustsecp256k1zkp_v0_6_0_scalar r; int i; random_scalar_order_test(&r); for (i = 0; i < 100; ++i) { int low; - int shift = 1 + rustsecp256k1zkp_v0_5_0_testrand_int(15); + int shift = 1 + rustsecp256k1zkp_v0_6_0_testrand_int(15); int expected = r.d[0] % (1 << shift); - low = rustsecp256k1zkp_v0_5_0_scalar_shr_int(&r, shift); + low = rustsecp256k1zkp_v0_6_0_scalar_shr_int(&r, shift); CHECK(expected == low); } } -#endif - - { - /* Test that scalar inverses are equal to the inverse of their number modulo the order. */ - if (!rustsecp256k1zkp_v0_5_0_scalar_is_zero(&s)) { - rustsecp256k1zkp_v0_5_0_scalar inv; -#ifndef USE_NUM_NONE - rustsecp256k1zkp_v0_5_0_num invnum; - rustsecp256k1zkp_v0_5_0_num invnum2; -#endif - rustsecp256k1zkp_v0_5_0_scalar_inverse(&inv, &s); -#ifndef USE_NUM_NONE - rustsecp256k1zkp_v0_5_0_num_mod_inverse(&invnum, &snum, &order); - rustsecp256k1zkp_v0_5_0_scalar_get_num(&invnum2, &inv); - CHECK(rustsecp256k1zkp_v0_5_0_num_eq(&invnum, &invnum2)); -#endif - rustsecp256k1zkp_v0_5_0_scalar_mul(&inv, &inv, &s); - /* Multiplying a scalar with its inverse must result in one. */ - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_one(&inv)); - rustsecp256k1zkp_v0_5_0_scalar_inverse(&inv, &inv); - /* Inverting one must result in one. */ - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_one(&inv)); -#ifndef USE_NUM_NONE - rustsecp256k1zkp_v0_5_0_scalar_get_num(&invnum, &inv); - CHECK(rustsecp256k1zkp_v0_5_0_num_is_one(&invnum)); -#endif - } - } { /* Test commutativity of add. */ - rustsecp256k1zkp_v0_5_0_scalar r1, r2; - rustsecp256k1zkp_v0_5_0_scalar_add(&r1, &s1, &s2); - rustsecp256k1zkp_v0_5_0_scalar_add(&r2, &s2, &s1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); + rustsecp256k1zkp_v0_6_0_scalar r1, r2; + rustsecp256k1zkp_v0_6_0_scalar_add(&r1, &s1, &s2); + rustsecp256k1zkp_v0_6_0_scalar_add(&r2, &s2, &s1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &r2)); } { - rustsecp256k1zkp_v0_5_0_scalar r1, r2; - rustsecp256k1zkp_v0_5_0_scalar b; + rustsecp256k1zkp_v0_6_0_scalar r1, r2; + rustsecp256k1zkp_v0_6_0_scalar b; int i; /* Test add_bit. */ - int bit = rustsecp256k1zkp_v0_5_0_testrand_bits(8); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&b, 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_one(&b)); + int bit = rustsecp256k1zkp_v0_6_0_testrand_bits(8); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&b, 1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_one(&b)); for (i = 0; i < bit; i++) { - rustsecp256k1zkp_v0_5_0_scalar_add(&b, &b, &b); + rustsecp256k1zkp_v0_6_0_scalar_add(&b, &b, &b); } r1 = s1; r2 = s1; - if (!rustsecp256k1zkp_v0_5_0_scalar_add(&r1, &r1, &b)) { + if (!rustsecp256k1zkp_v0_6_0_scalar_add(&r1, &r1, &b)) { /* No overflow happened. */ - rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(&r2, bit, 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); + rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(&r2, bit, 1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &r2)); /* cadd is a noop when flag is zero */ - rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(&r2, bit, 0); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); + rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(&r2, bit, 0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &r2)); } } { /* Test commutativity of mul. */ - rustsecp256k1zkp_v0_5_0_scalar r1, r2; - rustsecp256k1zkp_v0_5_0_scalar_mul(&r1, &s1, &s2); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r2, &s2, &s1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); + rustsecp256k1zkp_v0_6_0_scalar r1, r2; + rustsecp256k1zkp_v0_6_0_scalar_mul(&r1, &s1, &s2); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r2, &s2, &s1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &r2)); } { /* Test associativity of add. */ - rustsecp256k1zkp_v0_5_0_scalar r1, r2; - rustsecp256k1zkp_v0_5_0_scalar_add(&r1, &s1, &s2); - rustsecp256k1zkp_v0_5_0_scalar_add(&r1, &r1, &s); - rustsecp256k1zkp_v0_5_0_scalar_add(&r2, &s2, &s); - rustsecp256k1zkp_v0_5_0_scalar_add(&r2, &s1, &r2); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); + rustsecp256k1zkp_v0_6_0_scalar r1, r2; + rustsecp256k1zkp_v0_6_0_scalar_add(&r1, &s1, &s2); + rustsecp256k1zkp_v0_6_0_scalar_add(&r1, &r1, &s); + rustsecp256k1zkp_v0_6_0_scalar_add(&r2, &s2, &s); + rustsecp256k1zkp_v0_6_0_scalar_add(&r2, &s1, &r2); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &r2)); } { /* Test associativity of mul. */ - rustsecp256k1zkp_v0_5_0_scalar r1, r2; - rustsecp256k1zkp_v0_5_0_scalar_mul(&r1, &s1, &s2); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r1, &r1, &s); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r2, &s2, &s); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r2, &s1, &r2); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); + rustsecp256k1zkp_v0_6_0_scalar r1, r2; + rustsecp256k1zkp_v0_6_0_scalar_mul(&r1, &s1, &s2); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r1, &r1, &s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r2, &s2, &s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r2, &s1, &r2); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &r2)); } { /* Test distributitivity of mul over add. */ - rustsecp256k1zkp_v0_5_0_scalar r1, r2, t; - rustsecp256k1zkp_v0_5_0_scalar_add(&r1, &s1, &s2); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r1, &r1, &s); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r2, &s1, &s); - rustsecp256k1zkp_v0_5_0_scalar_mul(&t, &s2, &s); - rustsecp256k1zkp_v0_5_0_scalar_add(&r2, &r2, &t); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); - } - - { - /* Test square. */ - rustsecp256k1zkp_v0_5_0_scalar r1, r2; - rustsecp256k1zkp_v0_5_0_scalar_sqr(&r1, &s1); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r2, &s1, &s1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &r2)); + rustsecp256k1zkp_v0_6_0_scalar r1, r2, t; + rustsecp256k1zkp_v0_6_0_scalar_add(&r1, &s1, &s2); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r1, &r1, &s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r2, &s1, &s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&t, &s2, &s); + rustsecp256k1zkp_v0_6_0_scalar_add(&r2, &r2, &t); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &r2)); } { /* Test multiplicative identity. */ - rustsecp256k1zkp_v0_5_0_scalar r1, v1; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&v1,1); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r1, &s1, &v1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &s1)); + rustsecp256k1zkp_v0_6_0_scalar r1, v1; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&v1,1); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r1, &s1, &v1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &s1)); } { /* Test additive identity. */ - rustsecp256k1zkp_v0_5_0_scalar r1, v0; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&v0,0); - rustsecp256k1zkp_v0_5_0_scalar_add(&r1, &s1, &v0); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &s1)); + rustsecp256k1zkp_v0_6_0_scalar r1, v0; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&v0,0); + rustsecp256k1zkp_v0_6_0_scalar_add(&r1, &s1, &v0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &s1)); } { /* Test zero product property. */ - rustsecp256k1zkp_v0_5_0_scalar r1, v0; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&v0,0); - rustsecp256k1zkp_v0_5_0_scalar_mul(&r1, &s1, &v0); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &v0)); + rustsecp256k1zkp_v0_6_0_scalar r1, v0; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&v0,0); + rustsecp256k1zkp_v0_6_0_scalar_mul(&r1, &s1, &v0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &v0)); } } void run_scalar_set_b32_seckey_tests(void) { unsigned char b32[32]; - rustsecp256k1zkp_v0_5_0_scalar s1; - rustsecp256k1zkp_v0_5_0_scalar s2; + rustsecp256k1zkp_v0_6_0_scalar s1; + rustsecp256k1zkp_v0_6_0_scalar s2; /* Usually set_b32 and set_b32_seckey give the same result */ random_scalar_order_b32(b32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&s1, b32, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&s2, b32) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&s1, &s2) == 1); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&s1, b32, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&s2, b32) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&s1, &s2) == 1); memset(b32, 0, sizeof(b32)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&s2, b32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&s2, b32) == 0); memset(b32, 0xFF, sizeof(b32)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_set_b32_seckey(&s2, b32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_set_b32_seckey(&s2, b32) == 0); } void scalar_chacha_tests(void) { @@ -1224,39 +1851,39 @@ void scalar_chacha_tests(void) { 0xf5, 0xa7, 0x0d, 0xab, 0x79, 0x03, 0xf1, 0x81 }; - rustsecp256k1zkp_v0_5_0_scalar exp_r1, exp_r2; - rustsecp256k1zkp_v0_5_0_scalar r1, r2; + rustsecp256k1zkp_v0_6_0_scalar exp_r1, exp_r2; + rustsecp256k1zkp_v0_6_0_scalar r1, r2; unsigned char seed0[32] = { 0 }; - rustsecp256k1zkp_v0_5_0_scalar_chacha20(&r1, &r2, seed0, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r1, &expected1[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r2, &expected1[32], NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r1, &r1)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r2, &r2)); - - rustsecp256k1zkp_v0_5_0_scalar_chacha20(&r1, &r2, seed0, 1); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r1, &expected2[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r2, &expected2[32], NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r1, &r1)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r2, &r2)); - - rustsecp256k1zkp_v0_5_0_scalar_chacha20(&r1, &r2, seed3, 1); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r1, &expected3[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r2, &expected3[32], NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r1, &r1)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r2, &r2)); - - rustsecp256k1zkp_v0_5_0_scalar_chacha20(&r1, &r2, seed4, 2); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r1, &expected4[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r2, &expected4[32], NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r1, &r1)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r2, &r2)); - - rustsecp256k1zkp_v0_5_0_scalar_chacha20(&r1, &r2, seed5, 0x6ff8602a7a78e2f2ULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r1, &expected5[0], NULL); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&exp_r2, &expected5[32], NULL); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r1, &r1)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&exp_r2, &r2)); + rustsecp256k1zkp_v0_6_0_scalar_chacha20(&r1, &r2, seed0, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r1, &expected1[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r2, &expected1[32], NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r1, &r1)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r2, &r2)); + + rustsecp256k1zkp_v0_6_0_scalar_chacha20(&r1, &r2, seed0, 1); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r1, &expected2[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r2, &expected2[32], NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r1, &r1)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r2, &r2)); + + rustsecp256k1zkp_v0_6_0_scalar_chacha20(&r1, &r2, seed3, 1); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r1, &expected3[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r2, &expected3[32], NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r1, &r1)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r2, &r2)); + + rustsecp256k1zkp_v0_6_0_scalar_chacha20(&r1, &r2, seed4, 2); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r1, &expected4[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r2, &expected4[32], NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r1, &r1)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r2, &r2)); + + rustsecp256k1zkp_v0_6_0_scalar_chacha20(&r1, &r2, seed5, 0x6ff8602a7a78e2f2ULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r1, &expected5[0], NULL); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&exp_r2, &expected5[32], NULL); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r1, &r1)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&exp_r2, &r2)); } void run_scalar_tests(void) { @@ -1272,65 +1899,23 @@ void run_scalar_tests(void) { { /* (-1)+1 should be zero. */ - rustsecp256k1zkp_v0_5_0_scalar s, o; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s, 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_one(&s)); - rustsecp256k1zkp_v0_5_0_scalar_negate(&o, &s); - rustsecp256k1zkp_v0_5_0_scalar_add(&o, &o, &s); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&o)); - rustsecp256k1zkp_v0_5_0_scalar_negate(&o, &o); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&o)); + rustsecp256k1zkp_v0_6_0_scalar s, o; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s, 1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_one(&s)); + rustsecp256k1zkp_v0_6_0_scalar_negate(&o, &s); + rustsecp256k1zkp_v0_6_0_scalar_add(&o, &o, &s); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(&o)); + rustsecp256k1zkp_v0_6_0_scalar_negate(&o, &o); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(&o)); } -#ifndef USE_NUM_NONE - { - /* Test rustsecp256k1zkp_v0_5_0_scalar_set_b32 boundary conditions */ - rustsecp256k1zkp_v0_5_0_num order; - rustsecp256k1zkp_v0_5_0_scalar scalar; - unsigned char bin[32]; - unsigned char bin_tmp[32]; - int overflow = 0; - /* 2^256-1 - order */ - static const rustsecp256k1zkp_v0_5_0_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST( - 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL, - 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL - ); - - /* A scalar set to 0s should be 0. */ - memset(bin, 0, 32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&scalar, bin, &overflow); - CHECK(overflow == 0); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&scalar)); - - /* A scalar with value of the curve order should be 0. */ - rustsecp256k1zkp_v0_5_0_scalar_order_get_num(&order); - rustsecp256k1zkp_v0_5_0_num_get_bin(bin, 32, &order); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&scalar, bin, &overflow); - CHECK(overflow == 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&scalar)); - - /* A scalar with value of the curve order minus one should not overflow. */ - bin[31] -= 1; - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&scalar, bin, &overflow); - CHECK(overflow == 0); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(bin_tmp, &scalar); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(bin, bin_tmp, 32) == 0); - - /* A scalar set to all 1s should overflow. */ - memset(bin, 0xFF, 32); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&scalar, bin, &overflow); - CHECK(overflow == 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&scalar, &all_ones_minus_order)); - } -#endif - { /* Does check_overflow check catch all ones? */ - static const rustsecp256k1zkp_v0_5_0_scalar overflowed = SECP256K1_SCALAR_CONST( + static const rustsecp256k1zkp_v0_6_0_scalar overflowed = SECP256K1_SCALAR_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL ); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_check_overflow(&overflowed)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_check_overflow(&overflowed)); } { @@ -1339,16 +1924,14 @@ void run_scalar_tests(void) { * and edge-case coverage on 32-bit and 64-bit implementations. * The responses were generated with Sage 5.9. */ - rustsecp256k1zkp_v0_5_0_scalar x; - rustsecp256k1zkp_v0_5_0_scalar y; - rustsecp256k1zkp_v0_5_0_scalar z; - rustsecp256k1zkp_v0_5_0_scalar zz; - rustsecp256k1zkp_v0_5_0_scalar one; - rustsecp256k1zkp_v0_5_0_scalar r1; - rustsecp256k1zkp_v0_5_0_scalar r2; -#if defined(USE_SCALAR_INV_NUM) - rustsecp256k1zkp_v0_5_0_scalar zzv; -#endif + rustsecp256k1zkp_v0_6_0_scalar x; + rustsecp256k1zkp_v0_6_0_scalar y; + rustsecp256k1zkp_v0_6_0_scalar z; + rustsecp256k1zkp_v0_6_0_scalar zz; + rustsecp256k1zkp_v0_6_0_scalar one; + rustsecp256k1zkp_v0_6_0_scalar r1; + rustsecp256k1zkp_v0_6_0_scalar r2; + rustsecp256k1zkp_v0_6_0_scalar zzv; int overflow; unsigned char chal[33][2][32] = { {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00, @@ -1882,71 +2465,63 @@ void run_scalar_tests(void) { 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}} }; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&one, 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&one, 1); for (i = 0; i < 33; i++) { - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&x, chal[i][0], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&x, chal[i][0], &overflow); CHECK(!overflow); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&y, chal[i][1], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&y, chal[i][1], &overflow); CHECK(!overflow); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&r1, res[i][0], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&r1, res[i][0], &overflow); CHECK(!overflow); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&r2, res[i][1], &overflow); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&r2, res[i][1], &overflow); CHECK(!overflow); - rustsecp256k1zkp_v0_5_0_scalar_mul(&z, &x, &y); - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_check_overflow(&z)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r1, &z)); - if (!rustsecp256k1zkp_v0_5_0_scalar_is_zero(&y)) { - rustsecp256k1zkp_v0_5_0_scalar_inverse(&zz, &y); - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_check_overflow(&zz)); -#if defined(USE_SCALAR_INV_NUM) - rustsecp256k1zkp_v0_5_0_scalar_inverse_var(&zzv, &y); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&zzv, &zz)); -#endif - rustsecp256k1zkp_v0_5_0_scalar_mul(&z, &z, &zz); - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_check_overflow(&z)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&x, &z)); - rustsecp256k1zkp_v0_5_0_scalar_mul(&zz, &zz, &y); - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_check_overflow(&zz)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&one, &zz)); + rustsecp256k1zkp_v0_6_0_scalar_mul(&z, &x, &y); + CHECK(!rustsecp256k1zkp_v0_6_0_scalar_check_overflow(&z)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&r1, &z)); + if (!rustsecp256k1zkp_v0_6_0_scalar_is_zero(&y)) { + rustsecp256k1zkp_v0_6_0_scalar_inverse(&zz, &y); + CHECK(!rustsecp256k1zkp_v0_6_0_scalar_check_overflow(&zz)); + rustsecp256k1zkp_v0_6_0_scalar_inverse_var(&zzv, &y); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&zzv, &zz)); + rustsecp256k1zkp_v0_6_0_scalar_mul(&z, &z, &zz); + CHECK(!rustsecp256k1zkp_v0_6_0_scalar_check_overflow(&z)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&x, &z)); + rustsecp256k1zkp_v0_6_0_scalar_mul(&zz, &zz, &y); + CHECK(!rustsecp256k1zkp_v0_6_0_scalar_check_overflow(&zz)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&one, &zz)); } - rustsecp256k1zkp_v0_5_0_scalar_mul(&z, &x, &x); - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_check_overflow(&z)); - rustsecp256k1zkp_v0_5_0_scalar_sqr(&zz, &x); - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_check_overflow(&zz)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&zz, &z)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&r2, &zz)); } } } /***** FIELD TESTS *****/ -void random_fe(rustsecp256k1zkp_v0_5_0_fe *x) { +void random_fe(rustsecp256k1zkp_v0_6_0_fe *x) { unsigned char bin[32]; do { - rustsecp256k1zkp_v0_5_0_testrand256(bin); - if (rustsecp256k1zkp_v0_5_0_fe_set_b32(x, bin)) { + rustsecp256k1zkp_v0_6_0_testrand256(bin); + if (rustsecp256k1zkp_v0_6_0_fe_set_b32(x, bin)) { return; } } while(1); } -void random_fe_test(rustsecp256k1zkp_v0_5_0_fe *x) { +void random_fe_test(rustsecp256k1zkp_v0_6_0_fe *x) { unsigned char bin[32]; do { - rustsecp256k1zkp_v0_5_0_testrand256_test(bin); - if (rustsecp256k1zkp_v0_5_0_fe_set_b32(x, bin)) { + rustsecp256k1zkp_v0_6_0_testrand256_test(bin); + if (rustsecp256k1zkp_v0_6_0_fe_set_b32(x, bin)) { return; } } while(1); } -void random_fe_non_zero(rustsecp256k1zkp_v0_5_0_fe *nz) { +void random_fe_non_zero(rustsecp256k1zkp_v0_6_0_fe *nz) { int tries = 10; while (--tries >= 0) { random_fe(nz); - rustsecp256k1zkp_v0_5_0_fe_normalize(nz); - if (!rustsecp256k1zkp_v0_5_0_fe_is_zero(nz)) { + rustsecp256k1zkp_v0_6_0_fe_normalize(nz); + if (!rustsecp256k1zkp_v0_6_0_fe_is_zero(nz)) { break; } } @@ -1954,27 +2529,20 @@ void random_fe_non_zero(rustsecp256k1zkp_v0_5_0_fe *nz) { CHECK(tries >= 0); } -void random_fe_non_square(rustsecp256k1zkp_v0_5_0_fe *ns) { - rustsecp256k1zkp_v0_5_0_fe r; +void random_fe_non_square(rustsecp256k1zkp_v0_6_0_fe *ns) { + rustsecp256k1zkp_v0_6_0_fe r; random_fe_non_zero(ns); - if (rustsecp256k1zkp_v0_5_0_fe_sqrt(&r, ns)) { - rustsecp256k1zkp_v0_5_0_fe_negate(ns, ns, 1); + if (rustsecp256k1zkp_v0_6_0_fe_sqrt(&r, ns)) { + rustsecp256k1zkp_v0_6_0_fe_negate(ns, ns, 1); } } -int check_fe_equal(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b) { - rustsecp256k1zkp_v0_5_0_fe an = *a; - rustsecp256k1zkp_v0_5_0_fe bn = *b; - rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&an); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&bn); - return rustsecp256k1zkp_v0_5_0_fe_equal_var(&an, &bn); -} - -int check_fe_inverse(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *ai) { - rustsecp256k1zkp_v0_5_0_fe x; - rustsecp256k1zkp_v0_5_0_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1zkp_v0_5_0_fe_mul(&x, a, ai); - return check_fe_equal(&x, &one); +int check_fe_equal(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b) { + rustsecp256k1zkp_v0_6_0_fe an = *a; + rustsecp256k1zkp_v0_6_0_fe bn = *b; + rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&an); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&bn); + return rustsecp256k1zkp_v0_6_0_fe_equal_var(&an, &bn); } void run_field_convert(void) { @@ -1984,187 +2552,163 @@ void run_field_convert(void) { 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 }; - static const rustsecp256k1zkp_v0_5_0_fe_storage fes = SECP256K1_FE_STORAGE_CONST( + static const rustsecp256k1zkp_v0_6_0_fe_storage fes = SECP256K1_FE_STORAGE_CONST( 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL ); - static const rustsecp256k1zkp_v0_5_0_fe fe = SECP256K1_FE_CONST( + static const rustsecp256k1zkp_v0_6_0_fe fe = SECP256K1_FE_CONST( 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL ); - rustsecp256k1zkp_v0_5_0_fe fe2; + rustsecp256k1zkp_v0_6_0_fe fe2; unsigned char b322[32]; - rustsecp256k1zkp_v0_5_0_fe_storage fes2; + rustsecp256k1zkp_v0_6_0_fe_storage fes2; /* Check conversions to fe. */ - CHECK(rustsecp256k1zkp_v0_5_0_fe_set_b32(&fe2, b32)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&fe, &fe2)); - rustsecp256k1zkp_v0_5_0_fe_from_storage(&fe2, &fes); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&fe, &fe2)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_set_b32(&fe2, b32)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&fe, &fe2)); + rustsecp256k1zkp_v0_6_0_fe_from_storage(&fe2, &fes); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&fe, &fe2)); /* Check conversion from fe. */ - rustsecp256k1zkp_v0_5_0_fe_get_b32(b322, &fe); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(b322, b32, 32) == 0); - rustsecp256k1zkp_v0_5_0_fe_to_storage(&fes2, &fe); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&fes2, &fes, sizeof(fes)) == 0); + rustsecp256k1zkp_v0_6_0_fe_get_b32(b322, &fe); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(b322, b32, 32) == 0); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&fes2, &fe); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&fes2, &fes, sizeof(fes)) == 0); } -int fe_rustsecp256k1zkp_v0_5_0_memcmp_var(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *b) { - rustsecp256k1zkp_v0_5_0_fe t = *b; +int fe_rustsecp256k1zkp_v0_6_0_memcmp_var(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *b) { + rustsecp256k1zkp_v0_6_0_fe t = *b; #ifdef VERIFY t.magnitude = a->magnitude; t.normalized = a->normalized; #endif - return rustsecp256k1zkp_v0_5_0_memcmp_var(a, &t, sizeof(rustsecp256k1zkp_v0_5_0_fe)); + return rustsecp256k1zkp_v0_6_0_memcmp_var(a, &t, sizeof(rustsecp256k1zkp_v0_6_0_fe)); } void run_field_misc(void) { - rustsecp256k1zkp_v0_5_0_fe x; - rustsecp256k1zkp_v0_5_0_fe y; - rustsecp256k1zkp_v0_5_0_fe z; - rustsecp256k1zkp_v0_5_0_fe q; - rustsecp256k1zkp_v0_5_0_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); + rustsecp256k1zkp_v0_6_0_fe x; + rustsecp256k1zkp_v0_6_0_fe y; + rustsecp256k1zkp_v0_6_0_fe z; + rustsecp256k1zkp_v0_6_0_fe q; + rustsecp256k1zkp_v0_6_0_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); int i, j; for (i = 0; i < 5*count; i++) { - rustsecp256k1zkp_v0_5_0_fe_storage xs, ys, zs; + rustsecp256k1zkp_v0_6_0_fe_storage xs, ys, zs; random_fe(&x); random_fe_non_zero(&y); /* Test the fe equality and comparison operations. */ - CHECK(rustsecp256k1zkp_v0_5_0_fe_cmp_var(&x, &x) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&x, &x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_cmp_var(&x, &x) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&x, &x)); z = x; - rustsecp256k1zkp_v0_5_0_fe_add(&z,&y); + rustsecp256k1zkp_v0_6_0_fe_add(&z,&y); /* Test fe conditional move; z is not normalized here. */ q = x; - rustsecp256k1zkp_v0_5_0_fe_cmov(&x, &z, 0); + rustsecp256k1zkp_v0_6_0_fe_cmov(&x, &z, 0); #ifdef VERIFY CHECK(x.normalized && x.magnitude == 1); #endif - rustsecp256k1zkp_v0_5_0_fe_cmov(&x, &x, 1); - CHECK(fe_rustsecp256k1zkp_v0_5_0_memcmp_var(&x, &z) != 0); - CHECK(fe_rustsecp256k1zkp_v0_5_0_memcmp_var(&x, &q) == 0); - rustsecp256k1zkp_v0_5_0_fe_cmov(&q, &z, 1); + rustsecp256k1zkp_v0_6_0_fe_cmov(&x, &x, 1); + CHECK(fe_rustsecp256k1zkp_v0_6_0_memcmp_var(&x, &z) != 0); + CHECK(fe_rustsecp256k1zkp_v0_6_0_memcmp_var(&x, &q) == 0); + rustsecp256k1zkp_v0_6_0_fe_cmov(&q, &z, 1); #ifdef VERIFY CHECK(!q.normalized && q.magnitude == z.magnitude); #endif - CHECK(fe_rustsecp256k1zkp_v0_5_0_memcmp_var(&q, &z) == 0); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&z); - CHECK(!rustsecp256k1zkp_v0_5_0_fe_equal_var(&x, &z)); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&q); - rustsecp256k1zkp_v0_5_0_fe_cmov(&q, &z, (i&1)); + CHECK(fe_rustsecp256k1zkp_v0_6_0_memcmp_var(&q, &z) == 0); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&z); + CHECK(!rustsecp256k1zkp_v0_6_0_fe_equal_var(&x, &z)); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&q); + rustsecp256k1zkp_v0_6_0_fe_cmov(&q, &z, (i&1)); #ifdef VERIFY CHECK(q.normalized && q.magnitude == 1); #endif for (j = 0; j < 6; j++) { - rustsecp256k1zkp_v0_5_0_fe_negate(&z, &z, j+1); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&q); - rustsecp256k1zkp_v0_5_0_fe_cmov(&q, &z, (j&1)); + rustsecp256k1zkp_v0_6_0_fe_negate(&z, &z, j+1); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&q); + rustsecp256k1zkp_v0_6_0_fe_cmov(&q, &z, (j&1)); #ifdef VERIFY CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1)); #endif } - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&z); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&z); /* Test storage conversion and conditional moves. */ - rustsecp256k1zkp_v0_5_0_fe_to_storage(&xs, &x); - rustsecp256k1zkp_v0_5_0_fe_to_storage(&ys, &y); - rustsecp256k1zkp_v0_5_0_fe_to_storage(&zs, &z); - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&zs, &xs, 0); - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&zs, &zs, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xs, &zs, sizeof(xs)) != 0); - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&ys, &xs, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&xs, &ys, sizeof(xs)) == 0); - rustsecp256k1zkp_v0_5_0_fe_from_storage(&x, &xs); - rustsecp256k1zkp_v0_5_0_fe_from_storage(&y, &ys); - rustsecp256k1zkp_v0_5_0_fe_from_storage(&z, &zs); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&xs, &x); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&ys, &y); + rustsecp256k1zkp_v0_6_0_fe_to_storage(&zs, &z); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&zs, &xs, 0); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&zs, &zs, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xs, &zs, sizeof(xs)) != 0); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&ys, &xs, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&xs, &ys, sizeof(xs)) == 0); + rustsecp256k1zkp_v0_6_0_fe_from_storage(&x, &xs); + rustsecp256k1zkp_v0_6_0_fe_from_storage(&y, &ys); + rustsecp256k1zkp_v0_6_0_fe_from_storage(&z, &zs); /* Test that mul_int, mul, and add agree. */ - rustsecp256k1zkp_v0_5_0_fe_add(&y, &x); - rustsecp256k1zkp_v0_5_0_fe_add(&y, &x); + rustsecp256k1zkp_v0_6_0_fe_add(&y, &x); + rustsecp256k1zkp_v0_6_0_fe_add(&y, &x); z = x; - rustsecp256k1zkp_v0_5_0_fe_mul_int(&z, 3); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&z, 3); CHECK(check_fe_equal(&y, &z)); - rustsecp256k1zkp_v0_5_0_fe_add(&y, &x); - rustsecp256k1zkp_v0_5_0_fe_add(&z, &x); + rustsecp256k1zkp_v0_6_0_fe_add(&y, &x); + rustsecp256k1zkp_v0_6_0_fe_add(&z, &x); CHECK(check_fe_equal(&z, &y)); z = x; - rustsecp256k1zkp_v0_5_0_fe_mul_int(&z, 5); - rustsecp256k1zkp_v0_5_0_fe_mul(&q, &x, &fe5); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&z, 5); + rustsecp256k1zkp_v0_6_0_fe_mul(&q, &x, &fe5); CHECK(check_fe_equal(&z, &q)); - rustsecp256k1zkp_v0_5_0_fe_negate(&x, &x, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&z, &x); - rustsecp256k1zkp_v0_5_0_fe_add(&q, &x); + rustsecp256k1zkp_v0_6_0_fe_negate(&x, &x, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&z, &x); + rustsecp256k1zkp_v0_6_0_fe_add(&q, &x); CHECK(check_fe_equal(&y, &z)); CHECK(check_fe_equal(&q, &y)); } } -void run_field_inv(void) { - rustsecp256k1zkp_v0_5_0_fe x, xi, xii; - int i; - for (i = 0; i < 10*count; i++) { - random_fe_non_zero(&x); - rustsecp256k1zkp_v0_5_0_fe_inv(&xi, &x); - CHECK(check_fe_inverse(&x, &xi)); - rustsecp256k1zkp_v0_5_0_fe_inv(&xii, &xi); - CHECK(check_fe_equal(&x, &xii)); - } -} - -void run_field_inv_var(void) { - rustsecp256k1zkp_v0_5_0_fe x, xi, xii; - int i; - for (i = 0; i < 10*count; i++) { - random_fe_non_zero(&x); - rustsecp256k1zkp_v0_5_0_fe_inv_var(&xi, &x); - CHECK(check_fe_inverse(&x, &xi)); - rustsecp256k1zkp_v0_5_0_fe_inv_var(&xii, &xi); - CHECK(check_fe_equal(&x, &xii)); - } -} - void run_sqr(void) { - rustsecp256k1zkp_v0_5_0_fe x, s; + rustsecp256k1zkp_v0_6_0_fe x, s; { int i; - rustsecp256k1zkp_v0_5_0_fe_set_int(&x, 1); - rustsecp256k1zkp_v0_5_0_fe_negate(&x, &x, 1); + rustsecp256k1zkp_v0_6_0_fe_set_int(&x, 1); + rustsecp256k1zkp_v0_6_0_fe_negate(&x, &x, 1); for (i = 1; i <= 512; ++i) { - rustsecp256k1zkp_v0_5_0_fe_mul_int(&x, 2); - rustsecp256k1zkp_v0_5_0_fe_normalize(&x); - rustsecp256k1zkp_v0_5_0_fe_sqr(&s, &x); + rustsecp256k1zkp_v0_6_0_fe_mul_int(&x, 2); + rustsecp256k1zkp_v0_6_0_fe_normalize(&x); + rustsecp256k1zkp_v0_6_0_fe_sqr(&s, &x); } } } -void test_sqrt(const rustsecp256k1zkp_v0_5_0_fe *a, const rustsecp256k1zkp_v0_5_0_fe *k) { - rustsecp256k1zkp_v0_5_0_fe r1, r2; - int v = rustsecp256k1zkp_v0_5_0_fe_sqrt(&r1, a); +void test_sqrt(const rustsecp256k1zkp_v0_6_0_fe *a, const rustsecp256k1zkp_v0_6_0_fe *k) { + rustsecp256k1zkp_v0_6_0_fe r1, r2; + int v = rustsecp256k1zkp_v0_6_0_fe_sqrt(&r1, a); CHECK((v == 0) == (k == NULL)); if (k != NULL) { /* Check that the returned root is +/- the given known answer */ - rustsecp256k1zkp_v0_5_0_fe_negate(&r2, &r1, 1); - rustsecp256k1zkp_v0_5_0_fe_add(&r1, k); rustsecp256k1zkp_v0_5_0_fe_add(&r2, k); - rustsecp256k1zkp_v0_5_0_fe_normalize(&r1); rustsecp256k1zkp_v0_5_0_fe_normalize(&r2); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&r1) || rustsecp256k1zkp_v0_5_0_fe_is_zero(&r2)); + rustsecp256k1zkp_v0_6_0_fe_negate(&r2, &r1, 1); + rustsecp256k1zkp_v0_6_0_fe_add(&r1, k); rustsecp256k1zkp_v0_6_0_fe_add(&r2, k); + rustsecp256k1zkp_v0_6_0_fe_normalize(&r1); rustsecp256k1zkp_v0_6_0_fe_normalize(&r2); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&r1) || rustsecp256k1zkp_v0_6_0_fe_is_zero(&r2)); } } void run_sqrt(void) { - rustsecp256k1zkp_v0_5_0_fe ns, x, s, t; + rustsecp256k1zkp_v0_6_0_fe ns, x, s, t; int i; /* Check sqrt(0) is 0 */ - rustsecp256k1zkp_v0_5_0_fe_set_int(&x, 0); - rustsecp256k1zkp_v0_5_0_fe_sqr(&s, &x); + rustsecp256k1zkp_v0_6_0_fe_set_int(&x, 0); + rustsecp256k1zkp_v0_6_0_fe_sqr(&s, &x); test_sqrt(&s, &x); /* Check sqrt of small squares (and their negatives) */ for (i = 1; i <= 100; i++) { - rustsecp256k1zkp_v0_5_0_fe_set_int(&x, i); - rustsecp256k1zkp_v0_5_0_fe_sqr(&s, &x); + rustsecp256k1zkp_v0_6_0_fe_set_int(&x, i); + rustsecp256k1zkp_v0_6_0_fe_sqr(&s, &x); test_sqrt(&s, &x); - rustsecp256k1zkp_v0_5_0_fe_negate(&t, &s, 1); + rustsecp256k1zkp_v0_6_0_fe_negate(&t, &s, 1); test_sqrt(&t, NULL); } @@ -2174,64 +2718,376 @@ void run_sqrt(void) { random_fe_non_square(&ns); for (j = 0; j < count; j++) { random_fe(&x); - rustsecp256k1zkp_v0_5_0_fe_sqr(&s, &x); + rustsecp256k1zkp_v0_6_0_fe_sqr(&s, &x); test_sqrt(&s, &x); - rustsecp256k1zkp_v0_5_0_fe_negate(&t, &s, 1); + rustsecp256k1zkp_v0_6_0_fe_negate(&t, &s, 1); test_sqrt(&t, NULL); - rustsecp256k1zkp_v0_5_0_fe_mul(&t, &s, &ns); + rustsecp256k1zkp_v0_6_0_fe_mul(&t, &s, &ns); test_sqrt(&t, NULL); } } } +/***** FIELD/SCALAR INVERSE TESTS *****/ + +static const rustsecp256k1zkp_v0_6_0_scalar scalar_minus_one = SECP256K1_SCALAR_CONST( + 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, + 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140 +); + +static const rustsecp256k1zkp_v0_6_0_fe fe_minus_one = SECP256K1_FE_CONST( + 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, + 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E +); + +/* These tests test the following identities: + * + * for x==0: 1/x == 0 + * for x!=0: x*(1/x) == 1 + * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1) + */ + +void test_inverse_scalar(rustsecp256k1zkp_v0_6_0_scalar* out, const rustsecp256k1zkp_v0_6_0_scalar* x, int var) +{ + rustsecp256k1zkp_v0_6_0_scalar l, r, t; + + (var ? rustsecp256k1zkp_v0_6_0_scalar_inverse_var : rustsecp256k1zkp_v0_6_0_scalar_inverse_var)(&l, x); /* l = 1/x */ + if (out) *out = l; + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(x)) { + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(&l)); + return; + } + rustsecp256k1zkp_v0_6_0_scalar_mul(&t, x, &l); /* t = x*(1/x) */ + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_one(&t)); /* x*(1/x) == 1 */ + rustsecp256k1zkp_v0_6_0_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */ + if (rustsecp256k1zkp_v0_6_0_scalar_is_zero(&r)) return; + (var ? rustsecp256k1zkp_v0_6_0_scalar_inverse_var : rustsecp256k1zkp_v0_6_0_scalar_inverse_var)(&r, &r); /* r = 1/(x-1) */ + rustsecp256k1zkp_v0_6_0_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */ + (var ? rustsecp256k1zkp_v0_6_0_scalar_inverse_var : rustsecp256k1zkp_v0_6_0_scalar_inverse_var)(&l, &l); /* l = 1/(1/x-1) */ + rustsecp256k1zkp_v0_6_0_scalar_add(&l, &l, &rustsecp256k1zkp_v0_6_0_scalar_one); /* l = 1/(1/x-1)+1 */ + rustsecp256k1zkp_v0_6_0_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */ + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(&l)); /* l == 0 */ +} + +void test_inverse_field(rustsecp256k1zkp_v0_6_0_fe* out, const rustsecp256k1zkp_v0_6_0_fe* x, int var) +{ + rustsecp256k1zkp_v0_6_0_fe l, r, t; + + (var ? rustsecp256k1zkp_v0_6_0_fe_inv_var : rustsecp256k1zkp_v0_6_0_fe_inv)(&l, x) ; /* l = 1/x */ + if (out) *out = l; + t = *x; /* t = x */ + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&t)) { + CHECK(rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&l)); + return; + } + rustsecp256k1zkp_v0_6_0_fe_mul(&t, x, &l); /* t = x*(1/x) */ + rustsecp256k1zkp_v0_6_0_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */ + CHECK(rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */ + r = *x; /* r = x */ + rustsecp256k1zkp_v0_6_0_fe_add(&r, &fe_minus_one); /* r = x-1 */ + if (rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&r)) return; + (var ? rustsecp256k1zkp_v0_6_0_fe_inv_var : rustsecp256k1zkp_v0_6_0_fe_inv)(&r, &r); /* r = 1/(x-1) */ + rustsecp256k1zkp_v0_6_0_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */ + (var ? rustsecp256k1zkp_v0_6_0_fe_inv_var : rustsecp256k1zkp_v0_6_0_fe_inv)(&l, &l); /* l = 1/(1/x-1) */ + rustsecp256k1zkp_v0_6_0_fe_add(&l, &rustsecp256k1zkp_v0_6_0_fe_one); /* l = 1/(1/x-1)+1 */ + rustsecp256k1zkp_v0_6_0_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */ + CHECK(rustsecp256k1zkp_v0_6_0_fe_normalizes_to_zero_var(&l)); /* l == 0 */ +} + +void run_inverse_tests(void) +{ + /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */ + static const rustsecp256k1zkp_v0_6_0_fe fe_cases[][2] = { + /* 0 */ + {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), + SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, + /* 1 */ + {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), + SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, + /* -1 */ + {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e), + SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)}, + /* 2 */ + {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2), + SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)}, + /* 2**128 */ + {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0), + SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)}, + /* Input known to need 637 divsteps */ + {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3), + SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}, + /* Input known to need 567 divsteps starting with delta=1/2. */ + {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc), + SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)}, + /* Input known to need 566 divsteps starting with delta=1/2. */ + {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae), + SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)}, + /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */ + {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000), + SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)}, + {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192), + SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)}, + {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100), + SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)}, + {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8), + SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)}, + {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440), + SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)}, + {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff), + SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)}, + {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe), + SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)}, + {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f), + SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)}, + {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690), + SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)}, + {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000), + SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)}, + /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */ + {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950), + SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)}, + {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057), + SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)}, + {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058), + SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)}, + {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a), + SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)}, + {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c), + SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)}, + {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21), + SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)}, + {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600), + SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)}, + {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec), + SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)}, + {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c), + SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)}, + {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696), + SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)}, + {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e), + SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)}, + {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78), + SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)}, + {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d), + SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)}, + {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870), + SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)}, + {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc), + SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)}, + {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef), + SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)}, + {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6), + SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)}, + {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709), + SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)}, + {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787), + SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)}, + {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760), + SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)}, + {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d), + SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)}, + {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3), + SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)}, + {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4), + SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)}, + {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91), + SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)}, + {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a), + SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)}, + {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9), + SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)}, + {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd), + SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)}, + {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb), + SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)} + }; + /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */ + static const rustsecp256k1zkp_v0_6_0_scalar scalar_cases[][2] = { + /* 0 */ + {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), + SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, + /* 1 */ + {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), + SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, + /* -1 */ + {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140), + SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)}, + /* 2 */ + {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2), + SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)}, + /* 2**128 */ + {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0), + SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)}, + /* Input known to need 635 divsteps */ + {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3), + SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}, + /* Input known to need 566 divsteps starting with delta=1/2. */ + {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72), + SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)}, + /* Input known to need 565 divsteps starting with delta=1/2. */ + {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4), + SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)}, + /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */ + {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e), + SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)}, + {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0), + SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)}, + {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9), + SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)}, + {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2), + SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)}, + {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905), + SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)}, + {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec), + SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)}, + {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816), + SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)}, + {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f), + SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)}, + {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a), + SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)}, + {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504), + SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)}, + {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7), + SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)}, + {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640), + SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)}, + {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03), + SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)}, + {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4), + SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)}, + {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730), + SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)}, + {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948), + SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)}, + {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f), + SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)}, + {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000), + SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)}, + {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9), + SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)}, + {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3), + SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)}, + {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189), + SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)}, + {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141), + SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)}, + {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13), + SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)}, + {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0), + SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)}, + {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785), + SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)}, + {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0), + SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)}, + {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265), + SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)}, + {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5), + SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)}, + {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8), + SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)} + }; + int i, var, testrand; + unsigned char b32[32]; + rustsecp256k1zkp_v0_6_0_fe x_fe; + rustsecp256k1zkp_v0_6_0_scalar x_scalar; + memset(b32, 0, sizeof(b32)); + /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */ + for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) { + for (var = 0; var <= 1; ++var) { + test_inverse_field(&x_fe, &fe_cases[i][0], var); + check_fe_equal(&x_fe, &fe_cases[i][1]); + test_inverse_field(&x_fe, &fe_cases[i][1], var); + check_fe_equal(&x_fe, &fe_cases[i][0]); + } + } + for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) { + for (var = 0; var <= 1; ++var) { + test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&x_scalar, &scalar_cases[i][1])); + test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&x_scalar, &scalar_cases[i][0])); + } + } + /* Test inputs 0..999 and their respective negations. */ + for (i = 0; i < 1000; ++i) { + b32[31] = i & 0xff; + b32[30] = (i >> 8) & 0xff; + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&x_scalar, b32, NULL); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&x_fe, b32); + for (var = 0; var <= 1; ++var) { + test_inverse_scalar(NULL, &x_scalar, var); + test_inverse_field(NULL, &x_fe, var); + } + rustsecp256k1zkp_v0_6_0_scalar_negate(&x_scalar, &x_scalar); + rustsecp256k1zkp_v0_6_0_fe_negate(&x_fe, &x_fe, 1); + for (var = 0; var <= 1; ++var) { + test_inverse_scalar(NULL, &x_scalar, var); + test_inverse_field(NULL, &x_fe, var); + } + } + /* test 128*count random inputs; half with testrand256_test, half with testrand256 */ + for (testrand = 0; testrand <= 1; ++testrand) { + for (i = 0; i < 64 * count; ++i) { + (testrand ? rustsecp256k1zkp_v0_6_0_testrand256_test : rustsecp256k1zkp_v0_6_0_testrand256)(b32); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&x_scalar, b32, NULL); + rustsecp256k1zkp_v0_6_0_fe_set_b32(&x_fe, b32); + for (var = 0; var <= 1; ++var) { + test_inverse_scalar(NULL, &x_scalar, var); + test_inverse_field(NULL, &x_fe, var); + } + } + } +} + /***** GROUP TESTS *****/ -void ge_equals_ge(const rustsecp256k1zkp_v0_5_0_ge *a, const rustsecp256k1zkp_v0_5_0_ge *b) { +void ge_equals_ge(const rustsecp256k1zkp_v0_6_0_ge *a, const rustsecp256k1zkp_v0_6_0_ge *b) { CHECK(a->infinity == b->infinity); if (a->infinity) { return; } - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&a->x, &b->x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&a->y, &b->y)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&a->x, &b->x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&a->y, &b->y)); } /* This compares jacobian points including their Z, not just their geometric meaning. */ -int gej_xyz_equals_gej(const rustsecp256k1zkp_v0_5_0_gej *a, const rustsecp256k1zkp_v0_5_0_gej *b) { - rustsecp256k1zkp_v0_5_0_gej a2; - rustsecp256k1zkp_v0_5_0_gej b2; +int gej_xyz_equals_gej(const rustsecp256k1zkp_v0_6_0_gej *a, const rustsecp256k1zkp_v0_6_0_gej *b) { + rustsecp256k1zkp_v0_6_0_gej a2; + rustsecp256k1zkp_v0_6_0_gej b2; int ret = 1; ret &= a->infinity == b->infinity; if (ret && !a->infinity) { a2 = *a; b2 = *b; - rustsecp256k1zkp_v0_5_0_fe_normalize(&a2.x); - rustsecp256k1zkp_v0_5_0_fe_normalize(&a2.y); - rustsecp256k1zkp_v0_5_0_fe_normalize(&a2.z); - rustsecp256k1zkp_v0_5_0_fe_normalize(&b2.x); - rustsecp256k1zkp_v0_5_0_fe_normalize(&b2.y); - rustsecp256k1zkp_v0_5_0_fe_normalize(&b2.z); - ret &= rustsecp256k1zkp_v0_5_0_fe_cmp_var(&a2.x, &b2.x) == 0; - ret &= rustsecp256k1zkp_v0_5_0_fe_cmp_var(&a2.y, &b2.y) == 0; - ret &= rustsecp256k1zkp_v0_5_0_fe_cmp_var(&a2.z, &b2.z) == 0; + rustsecp256k1zkp_v0_6_0_fe_normalize(&a2.x); + rustsecp256k1zkp_v0_6_0_fe_normalize(&a2.y); + rustsecp256k1zkp_v0_6_0_fe_normalize(&a2.z); + rustsecp256k1zkp_v0_6_0_fe_normalize(&b2.x); + rustsecp256k1zkp_v0_6_0_fe_normalize(&b2.y); + rustsecp256k1zkp_v0_6_0_fe_normalize(&b2.z); + ret &= rustsecp256k1zkp_v0_6_0_fe_cmp_var(&a2.x, &b2.x) == 0; + ret &= rustsecp256k1zkp_v0_6_0_fe_cmp_var(&a2.y, &b2.y) == 0; + ret &= rustsecp256k1zkp_v0_6_0_fe_cmp_var(&a2.z, &b2.z) == 0; } return ret; } -void ge_equals_gej(const rustsecp256k1zkp_v0_5_0_ge *a, const rustsecp256k1zkp_v0_5_0_gej *b) { - rustsecp256k1zkp_v0_5_0_fe z2s; - rustsecp256k1zkp_v0_5_0_fe u1, u2, s1, s2; +void ge_equals_gej(const rustsecp256k1zkp_v0_6_0_ge *a, const rustsecp256k1zkp_v0_6_0_gej *b) { + rustsecp256k1zkp_v0_6_0_fe z2s; + rustsecp256k1zkp_v0_6_0_fe u1, u2, s1, s2; CHECK(a->infinity == b->infinity); if (a->infinity) { return; } /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&z2s, &b->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&u1, &a->x, &z2s); - u2 = b->x; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&u2); - rustsecp256k1zkp_v0_5_0_fe_mul(&s1, &a->y, &z2s); rustsecp256k1zkp_v0_5_0_fe_mul(&s1, &s1, &b->z); - s2 = b->y; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&s2); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&u1, &u2)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&s1, &s2)); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z2s, &b->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&u1, &a->x, &z2s); + u2 = b->x; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&u2); + rustsecp256k1zkp_v0_6_0_fe_mul(&s1, &a->y, &z2s); rustsecp256k1zkp_v0_6_0_fe_mul(&s1, &s1, &b->z); + s2 = b->y; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&s2); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&u1, &u2)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&s1, &s2)); } void test_ge(void) { @@ -2243,31 +3099,31 @@ void test_ge(void) { * negation, and then those two again but with randomized Z coordinate. * - The same is then done for lambda*p1 and lambda^2*p1. */ - rustsecp256k1zkp_v0_5_0_ge *ge = (rustsecp256k1zkp_v0_5_0_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_5_0_ge) * (1 + 4 * runs)); - rustsecp256k1zkp_v0_5_0_gej *gej = (rustsecp256k1zkp_v0_5_0_gej *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_5_0_gej) * (1 + 4 * runs)); - rustsecp256k1zkp_v0_5_0_fe zf; - rustsecp256k1zkp_v0_5_0_fe zfi2, zfi3; - - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&gej[0]); - rustsecp256k1zkp_v0_5_0_ge_clear(&ge[0]); - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&ge[0], &gej[0]); + rustsecp256k1zkp_v0_6_0_ge *ge = (rustsecp256k1zkp_v0_6_0_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_6_0_ge) * (1 + 4 * runs)); + rustsecp256k1zkp_v0_6_0_gej *gej = (rustsecp256k1zkp_v0_6_0_gej *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_6_0_gej) * (1 + 4 * runs)); + rustsecp256k1zkp_v0_6_0_fe zf; + rustsecp256k1zkp_v0_6_0_fe zfi2, zfi3; + + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&gej[0]); + rustsecp256k1zkp_v0_6_0_ge_clear(&ge[0]); + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&ge[0], &gej[0]); for (i = 0; i < runs; i++) { int j; - rustsecp256k1zkp_v0_5_0_ge g; + rustsecp256k1zkp_v0_6_0_ge g; random_group_element_test(&g); if (i >= runs - 2) { - rustsecp256k1zkp_v0_5_0_ge_mul_lambda(&g, &ge[1]); + rustsecp256k1zkp_v0_6_0_ge_mul_lambda(&g, &ge[1]); } if (i >= runs - 1) { - rustsecp256k1zkp_v0_5_0_ge_mul_lambda(&g, &g); + rustsecp256k1zkp_v0_6_0_ge_mul_lambda(&g, &g); } ge[1 + 4 * i] = g; ge[2 + 4 * i] = g; - rustsecp256k1zkp_v0_5_0_ge_neg(&ge[3 + 4 * i], &g); - rustsecp256k1zkp_v0_5_0_ge_neg(&ge[4 + 4 * i], &g); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); + rustsecp256k1zkp_v0_6_0_ge_neg(&ge[3 + 4 * i], &g); + rustsecp256k1zkp_v0_6_0_ge_neg(&ge[4 + 4 * i], &g); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); for (j = 0; j < 4; j++) { random_field_element_magnitude(&ge[1 + j + 4 * i].x); @@ -2281,84 +3137,84 @@ void test_ge(void) { /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ do { random_field_element_test(&zf); - } while(rustsecp256k1zkp_v0_5_0_fe_is_zero(&zf)); + } while(rustsecp256k1zkp_v0_6_0_fe_is_zero(&zf)); random_field_element_magnitude(&zf); - rustsecp256k1zkp_v0_5_0_fe_inv_var(&zfi3, &zf); - rustsecp256k1zkp_v0_5_0_fe_sqr(&zfi2, &zfi3); - rustsecp256k1zkp_v0_5_0_fe_mul(&zfi3, &zfi3, &zfi2); + rustsecp256k1zkp_v0_6_0_fe_inv_var(&zfi3, &zf); + rustsecp256k1zkp_v0_6_0_fe_sqr(&zfi2, &zfi3); + rustsecp256k1zkp_v0_6_0_fe_mul(&zfi3, &zfi3, &zfi2); for (i1 = 0; i1 < 1 + 4 * runs; i1++) { int i2; for (i2 = 0; i2 < 1 + 4 * runs; i2++) { /* Compute reference result using gej + gej (var). */ - rustsecp256k1zkp_v0_5_0_gej refj, resj; - rustsecp256k1zkp_v0_5_0_ge ref; - rustsecp256k1zkp_v0_5_0_fe zr; - rustsecp256k1zkp_v0_5_0_gej_add_var(&refj, &gej[i1], &gej[i2], rustsecp256k1zkp_v0_5_0_gej_is_infinity(&gej[i1]) ? NULL : &zr); + rustsecp256k1zkp_v0_6_0_gej refj, resj; + rustsecp256k1zkp_v0_6_0_ge ref; + rustsecp256k1zkp_v0_6_0_fe zr; + rustsecp256k1zkp_v0_6_0_gej_add_var(&refj, &gej[i1], &gej[i2], rustsecp256k1zkp_v0_6_0_gej_is_infinity(&gej[i1]) ? NULL : &zr); /* Check Z ratio. */ - if (!rustsecp256k1zkp_v0_5_0_gej_is_infinity(&gej[i1]) && !rustsecp256k1zkp_v0_5_0_gej_is_infinity(&refj)) { - rustsecp256k1zkp_v0_5_0_fe zrz; rustsecp256k1zkp_v0_5_0_fe_mul(&zrz, &zr, &gej[i1].z); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&zrz, &refj.z)); + if (!rustsecp256k1zkp_v0_6_0_gej_is_infinity(&gej[i1]) && !rustsecp256k1zkp_v0_6_0_gej_is_infinity(&refj)) { + rustsecp256k1zkp_v0_6_0_fe zrz; rustsecp256k1zkp_v0_6_0_fe_mul(&zrz, &zr, &gej[i1].z); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&zrz, &refj.z)); } - rustsecp256k1zkp_v0_5_0_ge_set_gej_var(&ref, &refj); + rustsecp256k1zkp_v0_6_0_ge_set_gej_var(&ref, &refj); /* Test gej + ge with Z ratio result (var). */ - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&resj, &gej[i1], &ge[i2], rustsecp256k1zkp_v0_5_0_gej_is_infinity(&gej[i1]) ? NULL : &zr); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&resj, &gej[i1], &ge[i2], rustsecp256k1zkp_v0_6_0_gej_is_infinity(&gej[i1]) ? NULL : &zr); ge_equals_gej(&ref, &resj); - if (!rustsecp256k1zkp_v0_5_0_gej_is_infinity(&gej[i1]) && !rustsecp256k1zkp_v0_5_0_gej_is_infinity(&resj)) { - rustsecp256k1zkp_v0_5_0_fe zrz; rustsecp256k1zkp_v0_5_0_fe_mul(&zrz, &zr, &gej[i1].z); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&zrz, &resj.z)); + if (!rustsecp256k1zkp_v0_6_0_gej_is_infinity(&gej[i1]) && !rustsecp256k1zkp_v0_6_0_gej_is_infinity(&resj)) { + rustsecp256k1zkp_v0_6_0_fe zrz; rustsecp256k1zkp_v0_6_0_fe_mul(&zrz, &zr, &gej[i1].z); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&zrz, &resj.z)); } /* Test gej + ge (var, with additional Z factor). */ { - rustsecp256k1zkp_v0_5_0_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ - rustsecp256k1zkp_v0_5_0_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); - rustsecp256k1zkp_v0_5_0_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); + rustsecp256k1zkp_v0_6_0_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ + rustsecp256k1zkp_v0_6_0_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); + rustsecp256k1zkp_v0_6_0_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); random_field_element_magnitude(&ge2_zfi.x); random_field_element_magnitude(&ge2_zfi.y); - rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); + rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); ge_equals_gej(&ref, &resj); } /* Test gej + ge (const). */ if (i2 != 0) { - /* rustsecp256k1zkp_v0_5_0_gej_add_ge does not support its second argument being infinity. */ - rustsecp256k1zkp_v0_5_0_gej_add_ge(&resj, &gej[i1], &ge[i2]); + /* rustsecp256k1zkp_v0_6_0_gej_add_ge does not support its second argument being infinity. */ + rustsecp256k1zkp_v0_6_0_gej_add_ge(&resj, &gej[i1], &ge[i2]); ge_equals_gej(&ref, &resj); } /* Test doubling (var). */ if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { - rustsecp256k1zkp_v0_5_0_fe zr2; + rustsecp256k1zkp_v0_6_0_fe zr2; /* Normal doubling with Z ratio result. */ - rustsecp256k1zkp_v0_5_0_gej_double_var(&resj, &gej[i1], &zr2); + rustsecp256k1zkp_v0_6_0_gej_double_var(&resj, &gej[i1], &zr2); ge_equals_gej(&ref, &resj); /* Check Z ratio. */ - rustsecp256k1zkp_v0_5_0_fe_mul(&zr2, &zr2, &gej[i1].z); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&zr2, &resj.z)); + rustsecp256k1zkp_v0_6_0_fe_mul(&zr2, &zr2, &gej[i1].z); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&zr2, &resj.z)); /* Normal doubling. */ - rustsecp256k1zkp_v0_5_0_gej_double_var(&resj, &gej[i2], NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&resj, &gej[i2], NULL); ge_equals_gej(&ref, &resj); /* Constant-time doubling. */ - rustsecp256k1zkp_v0_5_0_gej_double(&resj, &gej[i2]); + rustsecp256k1zkp_v0_6_0_gej_double(&resj, &gej[i2]); ge_equals_gej(&ref, &resj); } /* Test adding opposites. */ if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_infinity(&ref)); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&ref)); } /* Test adding infinity. */ if (i1 == 0) { - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_infinity(&ge[i1])); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&gej[i1])); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&ge[i1])); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&gej[i1])); ge_equals_gej(&ref, &gej[i2]); } if (i2 == 0) { - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_infinity(&ge[i2])); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&gej[i2])); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&ge[i2])); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&gej[i2])); ge_equals_gej(&ref, &gej[i1]); } } @@ -2366,34 +3222,34 @@ void test_ge(void) { /* Test adding all points together in random order equals infinity. */ { - rustsecp256k1zkp_v0_5_0_gej sum = SECP256K1_GEJ_CONST_INFINITY; - rustsecp256k1zkp_v0_5_0_gej *gej_shuffled = (rustsecp256k1zkp_v0_5_0_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1zkp_v0_5_0_gej)); + rustsecp256k1zkp_v0_6_0_gej sum = SECP256K1_GEJ_CONST_INFINITY; + rustsecp256k1zkp_v0_6_0_gej *gej_shuffled = (rustsecp256k1zkp_v0_6_0_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1zkp_v0_6_0_gej)); for (i = 0; i < 4 * runs + 1; i++) { gej_shuffled[i] = gej[i]; } for (i = 0; i < 4 * runs + 1; i++) { - int swap = i + rustsecp256k1zkp_v0_5_0_testrand_int(4 * runs + 1 - i); + int swap = i + rustsecp256k1zkp_v0_6_0_testrand_int(4 * runs + 1 - i); if (swap != i) { - rustsecp256k1zkp_v0_5_0_gej t = gej_shuffled[i]; + rustsecp256k1zkp_v0_6_0_gej t = gej_shuffled[i]; gej_shuffled[i] = gej_shuffled[swap]; gej_shuffled[swap] = t; } } for (i = 0; i < 4 * runs + 1; i++) { - rustsecp256k1zkp_v0_5_0_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); } - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&sum)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&sum)); free(gej_shuffled); } /* Test batch gej -> ge conversion without known z ratios. */ { - rustsecp256k1zkp_v0_5_0_ge *ge_set_all = (rustsecp256k1zkp_v0_5_0_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1zkp_v0_5_0_ge)); - rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1); + rustsecp256k1zkp_v0_6_0_ge *ge_set_all = (rustsecp256k1zkp_v0_6_0_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1zkp_v0_6_0_ge)); + rustsecp256k1zkp_v0_6_0_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1); for (i = 0; i < 4 * runs + 1; i++) { - rustsecp256k1zkp_v0_5_0_fe s; + rustsecp256k1zkp_v0_6_0_fe s; random_fe_non_zero(&s); - rustsecp256k1zkp_v0_5_0_gej_rescale(&gej[i], &s); + rustsecp256k1zkp_v0_6_0_gej_rescale(&gej[i], &s); ge_equals_gej(&ge_set_all[i], &gej[i]); } free(ge_set_all); @@ -2401,53 +3257,67 @@ void test_ge(void) { /* Test batch gej -> ge conversion with many infinities. */ for (i = 0; i < 4 * runs + 1; i++) { + int odd; random_group_element_test(&ge[i]); + odd = rustsecp256k1zkp_v0_6_0_fe_is_odd(&ge[i].x); + CHECK(odd == 0 || odd == 1); /* randomly set half the points to infinity */ - if(rustsecp256k1zkp_v0_5_0_fe_is_odd(&ge[i].x)) { - rustsecp256k1zkp_v0_5_0_ge_set_infinity(&ge[i]); + if (odd == i % 2) { + rustsecp256k1zkp_v0_6_0_ge_set_infinity(&ge[i]); } - rustsecp256k1zkp_v0_5_0_gej_set_ge(&gej[i], &ge[i]); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&gej[i], &ge[i]); } - /* batch invert */ - rustsecp256k1zkp_v0_5_0_ge_set_all_gej_var(ge, gej, 4 * runs + 1); + /* batch convert */ + rustsecp256k1zkp_v0_6_0_ge_set_all_gej_var(ge, gej, 4 * runs + 1); /* check result */ for (i = 0; i < 4 * runs + 1; i++) { ge_equals_gej(&ge[i], &gej[i]); } + /* Test batch gej -> ge conversion with all infinities. */ + for (i = 0; i < 4 * runs + 1; i++) { + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&gej[i]); + } + /* batch convert */ + rustsecp256k1zkp_v0_6_0_ge_set_all_gej_var(ge, gej, 4 * runs + 1); + /* check result */ + for (i = 0; i < 4 * runs + 1; i++) { + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&ge[i])); + } + free(ge); free(gej); } void test_intialized_inf(void) { - rustsecp256k1zkp_v0_5_0_ge p; - rustsecp256k1zkp_v0_5_0_gej pj, npj, infj1, infj2, infj3; - rustsecp256k1zkp_v0_5_0_fe zinv; + rustsecp256k1zkp_v0_6_0_ge p; + rustsecp256k1zkp_v0_6_0_gej pj, npj, infj1, infj2, infj3; + rustsecp256k1zkp_v0_6_0_fe zinv; /* Test that adding P+(-P) results in a fully initalized infinity*/ random_group_element_test(&p); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pj, &p); - rustsecp256k1zkp_v0_5_0_gej_neg(&npj, &pj); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pj, &p); + rustsecp256k1zkp_v0_6_0_gej_neg(&npj, &pj); - rustsecp256k1zkp_v0_5_0_gej_add_var(&infj1, &pj, &npj, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&infj1)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj1.x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj1.y)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj1.z)); + rustsecp256k1zkp_v0_6_0_gej_add_var(&infj1, &pj, &npj, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&infj1)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj1.x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj1.y)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj1.z)); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&infj2, &npj, &p, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&infj2)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj2.x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj2.y)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj2.z)); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&infj2, &npj, &p, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&infj2)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj2.x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj2.y)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj2.z)); - rustsecp256k1zkp_v0_5_0_fe_set_int(&zinv, 1); - rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(&infj3, &npj, &p, &zinv); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&infj3)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj3.x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj3.y)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_zero(&infj3.z)); + rustsecp256k1zkp_v0_6_0_fe_set_int(&zinv, 1); + rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(&infj3, &npj, &p, &zinv); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&infj3)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj3.x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj3.y)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_zero(&infj3.z)); } @@ -2483,39 +3353,39 @@ void test_add_neg_y_diff_x(void) { * print " Q: %x %x" % Q.xy() * print "P + Q: %x %x" % (P + Q).xy() */ - rustsecp256k1zkp_v0_5_0_gej aj = SECP256K1_GEJ_CONST( + rustsecp256k1zkp_v0_6_0_gej aj = SECP256K1_GEJ_CONST( 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d ); - rustsecp256k1zkp_v0_5_0_gej bj = SECP256K1_GEJ_CONST( + rustsecp256k1zkp_v0_6_0_gej bj = SECP256K1_GEJ_CONST( 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 ); - rustsecp256k1zkp_v0_5_0_gej sumj = SECP256K1_GEJ_CONST( + rustsecp256k1zkp_v0_6_0_gej sumj = SECP256K1_GEJ_CONST( 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe ); - rustsecp256k1zkp_v0_5_0_ge b; - rustsecp256k1zkp_v0_5_0_gej resj; - rustsecp256k1zkp_v0_5_0_ge res; - rustsecp256k1zkp_v0_5_0_ge_set_gej(&b, &bj); + rustsecp256k1zkp_v0_6_0_ge b; + rustsecp256k1zkp_v0_6_0_gej resj; + rustsecp256k1zkp_v0_6_0_ge res; + rustsecp256k1zkp_v0_6_0_ge_set_gej(&b, &bj); - rustsecp256k1zkp_v0_5_0_gej_add_var(&resj, &aj, &bj, NULL); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res, &resj); + rustsecp256k1zkp_v0_6_0_gej_add_var(&resj, &aj, &bj, NULL); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res, &resj); ge_equals_gej(&res, &sumj); - rustsecp256k1zkp_v0_5_0_gej_add_ge(&resj, &aj, &b); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res, &resj); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&resj, &aj, &b); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res, &resj); ge_equals_gej(&res, &sumj); - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&resj, &aj, &b, NULL); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res, &resj); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&resj, &aj, &b, NULL); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res, &resj); ge_equals_gej(&res, &sumj); } @@ -2529,27 +3399,27 @@ void run_ge(void) { } void test_ec_combine(void) { - rustsecp256k1zkp_v0_5_0_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - rustsecp256k1zkp_v0_5_0_pubkey data[6]; - const rustsecp256k1zkp_v0_5_0_pubkey* d[6]; - rustsecp256k1zkp_v0_5_0_pubkey sd; - rustsecp256k1zkp_v0_5_0_pubkey sd2; - rustsecp256k1zkp_v0_5_0_gej Qj; - rustsecp256k1zkp_v0_5_0_ge Q; + rustsecp256k1zkp_v0_6_0_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1zkp_v0_6_0_pubkey data[6]; + const rustsecp256k1zkp_v0_6_0_pubkey* d[6]; + rustsecp256k1zkp_v0_6_0_pubkey sd; + rustsecp256k1zkp_v0_6_0_pubkey sd2; + rustsecp256k1zkp_v0_6_0_gej Qj; + rustsecp256k1zkp_v0_6_0_ge Q; int i; for (i = 1; i <= 6; i++) { - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar s; random_scalar_order_test(&s); - rustsecp256k1zkp_v0_5_0_scalar_add(&sum, &sum, &s); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&Q, &Qj); - rustsecp256k1zkp_v0_5_0_pubkey_save(&data[i - 1], &Q); + rustsecp256k1zkp_v0_6_0_scalar_add(&sum, &sum, &s); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&Q, &Qj); + rustsecp256k1zkp_v0_6_0_pubkey_save(&data[i - 1], &Q); d[i - 1] = &data[i - 1]; - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&Q, &Qj); - rustsecp256k1zkp_v0_5_0_pubkey_save(&sd, &Q); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, &sd2, d, i) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&sd, &sd2, sizeof(sd)) == 0); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&Q, &Qj); + rustsecp256k1zkp_v0_6_0_pubkey_save(&sd, &Q); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, &sd2, d, i) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&sd, &sd2, sizeof(sd)) == 0); } } @@ -2561,72 +3431,72 @@ void run_ec_combine(void) { } void test_ec_commit(void) { - rustsecp256k1zkp_v0_5_0_scalar seckey_s; - rustsecp256k1zkp_v0_5_0_ge pubkey; - rustsecp256k1zkp_v0_5_0_gej pubkeyj; - rustsecp256k1zkp_v0_5_0_ge commitment; + rustsecp256k1zkp_v0_6_0_scalar seckey_s; + rustsecp256k1zkp_v0_6_0_ge pubkey; + rustsecp256k1zkp_v0_6_0_gej pubkeyj; + rustsecp256k1zkp_v0_6_0_ge commitment; unsigned char data[32]; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; /* Create random keypair and data */ random_scalar_order_test(&seckey_s); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pubkey, &pubkeyj); - rustsecp256k1zkp_v0_5_0_testrand256_test(data); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pubkey, &pubkeyj); + rustsecp256k1zkp_v0_6_0_testrand256_test(data); /* Commit to data and verify */ - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 1); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 1); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 1); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 1); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 1); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 1); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); ge_equals_gej(&commitment, &pubkeyj); /* Check that verification fails with different data */ - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 31) == 0); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 31) == 0); /* Check that commmitting fails when the inner pubkey is the point at * infinity */ - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - rustsecp256k1zkp_v0_5_0_ge_set_infinity(&pubkey); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&seckey_s, 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 0); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + rustsecp256k1zkp_v0_6_0_ge_set_infinity(&pubkey); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&seckey_s, 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit_seckey(&seckey_s, &pubkey, &sha, data, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 32) == 0); } void test_ec_commit_api(void) { unsigned char seckey[32]; - rustsecp256k1zkp_v0_5_0_scalar seckey_s; - rustsecp256k1zkp_v0_5_0_ge pubkey; - rustsecp256k1zkp_v0_5_0_gej pubkeyj; - rustsecp256k1zkp_v0_5_0_ge commitment; + rustsecp256k1zkp_v0_6_0_scalar seckey_s; + rustsecp256k1zkp_v0_6_0_ge pubkey; + rustsecp256k1zkp_v0_6_0_gej pubkeyj; + rustsecp256k1zkp_v0_6_0_ge commitment; unsigned char data[32]; - rustsecp256k1zkp_v0_5_0_sha256 sha; + rustsecp256k1zkp_v0_6_0_sha256 sha; memset(data, 23, sizeof(data)); /* Create random keypair */ random_scalar_order_test(&seckey_s); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(seckey, &seckey_s); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pubkey, &pubkeyj); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(seckey, &seckey_s); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubkeyj, &seckey_s); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pubkey, &pubkeyj); - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 1) == 1); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 1) == 1); /* The same pubkey can be both input and output of the function */ { - rustsecp256k1zkp_v0_5_0_ge pubkey_tmp = pubkey; - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit(&ctx->ecmult_ctx, &pubkey_tmp, &pubkey_tmp, &sha, data, 1) == 1); + rustsecp256k1zkp_v0_6_0_ge pubkey_tmp = pubkey; + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit(&ctx->ecmult_ctx, &pubkey_tmp, &pubkey_tmp, &sha, data, 1) == 1); ge_equals_ge(&commitment, &pubkey_tmp); } - rustsecp256k1zkp_v0_5_0_sha256_initialize(&sha); - CHECK(rustsecp256k1zkp_v0_5_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 1) == 1); + rustsecp256k1zkp_v0_6_0_sha256_initialize(&sha); + CHECK(rustsecp256k1zkp_v0_6_0_ec_commit_verify(&ctx->ecmult_ctx, &commitment, &pubkey, &sha, data, 1) == 1); } void run_ec_commit(void) { @@ -2637,74 +3507,45 @@ void run_ec_commit(void) { test_ec_commit_api(); } -void test_group_decompress(const rustsecp256k1zkp_v0_5_0_fe* x) { +void test_group_decompress(const rustsecp256k1zkp_v0_6_0_fe* x) { /* The input itself, normalized. */ - rustsecp256k1zkp_v0_5_0_fe fex = *x; - rustsecp256k1zkp_v0_5_0_fe fez; - /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */ - rustsecp256k1zkp_v0_5_0_ge ge_quad, ge_even, ge_odd; - rustsecp256k1zkp_v0_5_0_gej gej_quad; + rustsecp256k1zkp_v0_6_0_fe fex = *x; + /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */ + rustsecp256k1zkp_v0_6_0_ge ge_even, ge_odd; /* Return values of the above calls. */ - int res_quad, res_even, res_odd; + int res_even, res_odd; - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&fex); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&fex); - res_quad = rustsecp256k1zkp_v0_5_0_ge_set_xquad(&ge_quad, &fex); - res_even = rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&ge_even, &fex, 0); - res_odd = rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&ge_odd, &fex, 1); + res_even = rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&ge_even, &fex, 0); + res_odd = rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&ge_odd, &fex, 1); - CHECK(res_quad == res_even); - CHECK(res_quad == res_odd); + CHECK(res_even == res_odd); - if (res_quad) { - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge_quad.x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge_odd.x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge_even.x); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge_quad.y); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge_odd.y); - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&ge_even.y); + if (res_even) { + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge_odd.x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge_even.x); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge_odd.y); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&ge_even.y); /* No infinity allowed. */ - CHECK(!ge_quad.infinity); CHECK(!ge_even.infinity); CHECK(!ge_odd.infinity); /* Check that the x coordinates check out. */ - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&ge_quad.x, x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&ge_even.x, x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&ge_odd.x, x)); - - /* Check that the Y coordinate result in ge_quad is a square. */ - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_quad_var(&ge_quad.y)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&ge_even.x, x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&ge_odd.x, x)); /* Check odd/even Y in ge_odd, ge_even. */ - CHECK(rustsecp256k1zkp_v0_5_0_fe_is_odd(&ge_odd.y)); - CHECK(!rustsecp256k1zkp_v0_5_0_fe_is_odd(&ge_even.y)); - - /* Check rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var. */ - rustsecp256k1zkp_v0_5_0_gej_set_ge(&gej_quad, &ge_quad); - CHECK(rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(&gej_quad)); - do { - random_fe_test(&fez); - } while (rustsecp256k1zkp_v0_5_0_fe_is_zero(&fez)); - rustsecp256k1zkp_v0_5_0_gej_rescale(&gej_quad, &fez); - CHECK(rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(&gej_quad)); - rustsecp256k1zkp_v0_5_0_gej_neg(&gej_quad, &gej_quad); - CHECK(!rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(&gej_quad)); - do { - random_fe_test(&fez); - } while (rustsecp256k1zkp_v0_5_0_fe_is_zero(&fez)); - rustsecp256k1zkp_v0_5_0_gej_rescale(&gej_quad, &fez); - CHECK(!rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(&gej_quad)); - rustsecp256k1zkp_v0_5_0_gej_neg(&gej_quad, &gej_quad); - CHECK(rustsecp256k1zkp_v0_5_0_gej_has_quad_y_var(&gej_quad)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_is_odd(&ge_odd.y)); + CHECK(!rustsecp256k1zkp_v0_6_0_fe_is_odd(&ge_even.y)); } } void run_group_decompress(void) { int i; for (i = 0; i < count * 4; i++) { - rustsecp256k1zkp_v0_5_0_fe fe; + rustsecp256k1zkp_v0_6_0_fe fe; random_fe_test(&fe); test_group_decompress(&fe); } @@ -2714,110 +3555,110 @@ void run_group_decompress(void) { void run_ecmult_chain(void) { /* random starting point A (on the curve) */ - rustsecp256k1zkp_v0_5_0_gej a = SECP256K1_GEJ_CONST( + rustsecp256k1zkp_v0_6_0_gej a = SECP256K1_GEJ_CONST( 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f ); /* two random initial factors xn and gn */ - rustsecp256k1zkp_v0_5_0_scalar xn = SECP256K1_SCALAR_CONST( + rustsecp256k1zkp_v0_6_0_scalar xn = SECP256K1_SCALAR_CONST( 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 ); - rustsecp256k1zkp_v0_5_0_scalar gn = SECP256K1_SCALAR_CONST( + rustsecp256k1zkp_v0_6_0_scalar gn = SECP256K1_SCALAR_CONST( 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de ); /* two small multipliers to be applied to xn and gn in every iteration: */ - static const rustsecp256k1zkp_v0_5_0_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); - static const rustsecp256k1zkp_v0_5_0_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); + static const rustsecp256k1zkp_v0_6_0_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); + static const rustsecp256k1zkp_v0_6_0_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); /* accumulators with the resulting coefficients to A and G */ - rustsecp256k1zkp_v0_5_0_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1zkp_v0_5_0_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1zkp_v0_6_0_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1zkp_v0_6_0_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); /* actual points */ - rustsecp256k1zkp_v0_5_0_gej x; - rustsecp256k1zkp_v0_5_0_gej x2; + rustsecp256k1zkp_v0_6_0_gej x; + rustsecp256k1zkp_v0_6_0_gej x2; int i; /* the point being computed */ x = a; for (i = 0; i < 200*count; i++) { /* in each iteration, compute X = xn*X + gn*G; */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn); /* also compute ae and ge: the actual accumulated factors for A and G */ /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&ae, &ae, &xn); - rustsecp256k1zkp_v0_5_0_scalar_mul(&ge, &ge, &xn); - rustsecp256k1zkp_v0_5_0_scalar_add(&ge, &ge, &gn); + rustsecp256k1zkp_v0_6_0_scalar_mul(&ae, &ae, &xn); + rustsecp256k1zkp_v0_6_0_scalar_mul(&ge, &ge, &xn); + rustsecp256k1zkp_v0_6_0_scalar_add(&ge, &ge, &gn); /* modify xn and gn */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&xn, &xn, &xf); - rustsecp256k1zkp_v0_5_0_scalar_mul(&gn, &gn, &gf); + rustsecp256k1zkp_v0_6_0_scalar_mul(&xn, &xn, &xf); + rustsecp256k1zkp_v0_6_0_scalar_mul(&gn, &gn, &gf); /* verify */ if (i == 19999) { /* expected result after 19999 iterations */ - rustsecp256k1zkp_v0_5_0_gej rp = SECP256K1_GEJ_CONST( + rustsecp256k1zkp_v0_6_0_gej rp = SECP256K1_GEJ_CONST( 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 ); - rustsecp256k1zkp_v0_5_0_gej_neg(&rp, &rp); - rustsecp256k1zkp_v0_5_0_gej_add_var(&rp, &rp, &x, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&rp)); + rustsecp256k1zkp_v0_6_0_gej_neg(&rp, &rp); + rustsecp256k1zkp_v0_6_0_gej_add_var(&rp, &rp, &x, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&rp)); } } /* redo the computation, but directly with the resulting ae and ge coefficients: */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge); - rustsecp256k1zkp_v0_5_0_gej_neg(&x2, &x2); - rustsecp256k1zkp_v0_5_0_gej_add_var(&x2, &x2, &x, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&x2)); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge); + rustsecp256k1zkp_v0_6_0_gej_neg(&x2, &x2); + rustsecp256k1zkp_v0_6_0_gej_add_var(&x2, &x2, &x, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&x2)); } -void test_point_times_order(const rustsecp256k1zkp_v0_5_0_gej *point) { +void test_point_times_order(const rustsecp256k1zkp_v0_6_0_gej *point) { /* X * (point + G) + (order-X) * (pointer + G) = 0 */ - rustsecp256k1zkp_v0_5_0_scalar x; - rustsecp256k1zkp_v0_5_0_scalar nx; - rustsecp256k1zkp_v0_5_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - rustsecp256k1zkp_v0_5_0_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1zkp_v0_5_0_gej res1, res2; - rustsecp256k1zkp_v0_5_0_ge res3; + rustsecp256k1zkp_v0_6_0_scalar x; + rustsecp256k1zkp_v0_6_0_scalar nx; + rustsecp256k1zkp_v0_6_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1zkp_v0_6_0_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1zkp_v0_6_0_gej res1, res2; + rustsecp256k1zkp_v0_6_0_ge res3; unsigned char pub[65]; size_t psize = 65; random_scalar_order_test(&x); - rustsecp256k1zkp_v0_5_0_scalar_negate(&nx, &x); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ - rustsecp256k1zkp_v0_5_0_gej_add_var(&res1, &res1, &res2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&res1)); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res3, &res1); - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_infinity(&res3)); - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_valid_var(&res3) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); + rustsecp256k1zkp_v0_6_0_scalar_negate(&nx, &x); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */ + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ + rustsecp256k1zkp_v0_6_0_gej_add_var(&res1, &res1, &res2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&res1)); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res3, &res1); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&res3)); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_valid_var(&res3) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); psize = 65; - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); /* check zero/one edge cases */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res3, &res1); - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_infinity(&res3)); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res3, &res1); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res3, &res1); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&res3)); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res3, &res1); ge_equals_gej(&res3, point); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res3, &res1); - ge_equals_ge(&res3, &rustsecp256k1zkp_v0_5_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res3, &res1); + ge_equals_ge(&res3, &rustsecp256k1zkp_v0_6_0_ge_const_g); } -/* These scalars reach large (in absolute value) outputs when fed to rustsecp256k1zkp_v0_5_0_scalar_split_lambda. +/* These scalars reach large (in absolute value) outputs when fed to rustsecp256k1zkp_v0_6_0_scalar_split_lambda. * * They are computed as: * - For a in [-2, -1, 0, 1, 2]: * - For b in [-3, -1, 1, 3]: * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER */ -static const rustsecp256k1zkp_v0_5_0_scalar scalars_near_split_bounds[20] = { +static const rustsecp256k1zkp_v0_6_0_scalar scalars_near_split_bounds[20] = { SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc), SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd), SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe), @@ -2840,43 +3681,43 @@ static const rustsecp256k1zkp_v0_5_0_scalar scalars_near_split_bounds[20] = { SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45) }; -void test_ecmult_target(const rustsecp256k1zkp_v0_5_0_scalar* target, int mode) { +void test_ecmult_target(const rustsecp256k1zkp_v0_6_0_scalar* target, int mode) { /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */ - rustsecp256k1zkp_v0_5_0_scalar n1, n2; - rustsecp256k1zkp_v0_5_0_ge p; - rustsecp256k1zkp_v0_5_0_gej pj, p1j, p2j, ptj; - static const rustsecp256k1zkp_v0_5_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1zkp_v0_6_0_scalar n1, n2; + rustsecp256k1zkp_v0_6_0_ge p; + rustsecp256k1zkp_v0_6_0_gej pj, p1j, p2j, ptj; + static const rustsecp256k1zkp_v0_6_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); /* Generate random n1,n2 such that n1+n2 = -target. */ random_scalar_order_test(&n1); - rustsecp256k1zkp_v0_5_0_scalar_add(&n2, &n1, target); - rustsecp256k1zkp_v0_5_0_scalar_negate(&n2, &n2); + rustsecp256k1zkp_v0_6_0_scalar_add(&n2, &n1, target); + rustsecp256k1zkp_v0_6_0_scalar_negate(&n2, &n2); /* Generate a random input point. */ if (mode != 0) { random_group_element_test(&p); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&pj, &p); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&pj, &p); } /* EC multiplications */ if (mode == 0) { - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target); } else if (mode == 1) { - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero); } else { - rustsecp256k1zkp_v0_5_0_ecmult_const(&p1j, &p, &n1, 256); - rustsecp256k1zkp_v0_5_0_ecmult_const(&p2j, &p, &n2, 256); - rustsecp256k1zkp_v0_5_0_ecmult_const(&ptj, &p, target, 256); + rustsecp256k1zkp_v0_6_0_ecmult_const(&p1j, &p, &n1, 256); + rustsecp256k1zkp_v0_6_0_ecmult_const(&p2j, &p, &n2, 256); + rustsecp256k1zkp_v0_6_0_ecmult_const(&ptj, &p, target, 256); } /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */ - rustsecp256k1zkp_v0_5_0_gej_add_var(&ptj, &ptj, &p1j, NULL); - rustsecp256k1zkp_v0_5_0_gej_add_var(&ptj, &ptj, &p2j, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&ptj)); + rustsecp256k1zkp_v0_6_0_gej_add_var(&ptj, &ptj, &p1j, NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&ptj, &ptj, &p2j, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&ptj)); } void run_ecmult_near_split_bound(void) { @@ -2893,118 +3734,118 @@ void run_ecmult_near_split_bound(void) { void run_point_times_order(void) { int i; - rustsecp256k1zkp_v0_5_0_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); - static const rustsecp256k1zkp_v0_5_0_fe xr = SECP256K1_FE_CONST( + rustsecp256k1zkp_v0_6_0_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); + static const rustsecp256k1zkp_v0_6_0_fe xr = SECP256K1_FE_CONST( 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 ); for (i = 0; i < 500; i++) { - rustsecp256k1zkp_v0_5_0_ge p; - if (rustsecp256k1zkp_v0_5_0_ge_set_xo_var(&p, &x, 1)) { - rustsecp256k1zkp_v0_5_0_gej j; - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_valid_var(&p)); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&j, &p); + rustsecp256k1zkp_v0_6_0_ge p; + if (rustsecp256k1zkp_v0_6_0_ge_set_xo_var(&p, &x, 1)) { + rustsecp256k1zkp_v0_6_0_gej j; + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_valid_var(&p)); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&j, &p); test_point_times_order(&j); } - rustsecp256k1zkp_v0_5_0_fe_sqr(&x, &x); + rustsecp256k1zkp_v0_6_0_fe_sqr(&x, &x); } - rustsecp256k1zkp_v0_5_0_fe_normalize_var(&x); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&x, &xr)); + rustsecp256k1zkp_v0_6_0_fe_normalize_var(&x); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&x, &xr)); } void ecmult_const_random_mult(void) { /* random starting point A (on the curve) */ - rustsecp256k1zkp_v0_5_0_ge a = SECP256K1_GE_CONST( + rustsecp256k1zkp_v0_6_0_ge a = SECP256K1_GE_CONST( 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d ); /* random initial factor xn */ - rustsecp256k1zkp_v0_5_0_scalar xn = SECP256K1_SCALAR_CONST( + rustsecp256k1zkp_v0_6_0_scalar xn = SECP256K1_SCALAR_CONST( 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b ); /* expected xn * A (from sage) */ - rustsecp256k1zkp_v0_5_0_ge expected_b = SECP256K1_GE_CONST( + rustsecp256k1zkp_v0_6_0_ge expected_b = SECP256K1_GE_CONST( 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 ); - rustsecp256k1zkp_v0_5_0_gej b; - rustsecp256k1zkp_v0_5_0_ecmult_const(&b, &a, &xn, 256); + rustsecp256k1zkp_v0_6_0_gej b; + rustsecp256k1zkp_v0_6_0_ecmult_const(&b, &a, &xn, 256); - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_valid_var(&a)); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_valid_var(&a)); ge_equals_gej(&expected_b, &b); } void ecmult_const_commutativity(void) { - rustsecp256k1zkp_v0_5_0_scalar a; - rustsecp256k1zkp_v0_5_0_scalar b; - rustsecp256k1zkp_v0_5_0_gej res1; - rustsecp256k1zkp_v0_5_0_gej res2; - rustsecp256k1zkp_v0_5_0_ge mid1; - rustsecp256k1zkp_v0_5_0_ge mid2; + rustsecp256k1zkp_v0_6_0_scalar a; + rustsecp256k1zkp_v0_6_0_scalar b; + rustsecp256k1zkp_v0_6_0_gej res1; + rustsecp256k1zkp_v0_6_0_gej res2; + rustsecp256k1zkp_v0_6_0_ge mid1; + rustsecp256k1zkp_v0_6_0_ge mid2; random_scalar_order_test(&a); random_scalar_order_test(&b); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res1, &rustsecp256k1zkp_v0_5_0_ge_const_g, &a, 256); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res2, &rustsecp256k1zkp_v0_5_0_ge_const_g, &b, 256); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&mid1, &res1); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&mid2, &res2); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res1, &mid1, &b, 256); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res2, &mid2, &a, 256); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&mid1, &res1); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&mid2, &res2); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res1, &rustsecp256k1zkp_v0_6_0_ge_const_g, &a, 256); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res2, &rustsecp256k1zkp_v0_6_0_ge_const_g, &b, 256); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&mid1, &res1); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&mid2, &res2); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res1, &mid1, &b, 256); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res2, &mid2, &a, 256); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&mid1, &res1); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&mid2, &res2); ge_equals_ge(&mid1, &mid2); } void ecmult_const_mult_zero_one(void) { - rustsecp256k1zkp_v0_5_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - rustsecp256k1zkp_v0_5_0_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1zkp_v0_5_0_scalar negone; - rustsecp256k1zkp_v0_5_0_gej res1; - rustsecp256k1zkp_v0_5_0_ge res2; - rustsecp256k1zkp_v0_5_0_ge point; - rustsecp256k1zkp_v0_5_0_scalar_negate(&negone, &one); + rustsecp256k1zkp_v0_6_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1zkp_v0_6_0_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1zkp_v0_6_0_scalar negone; + rustsecp256k1zkp_v0_6_0_gej res1; + rustsecp256k1zkp_v0_6_0_ge res2; + rustsecp256k1zkp_v0_6_0_ge point; + rustsecp256k1zkp_v0_6_0_scalar_negate(&negone, &one); random_group_element_test(&point); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res1, &point, &zero, 3); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res2, &res1); - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_infinity(&res2)); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res1, &point, &one, 2); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res2, &res1); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res1, &point, &zero, 3); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res2, &res1); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&res2)); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res1, &point, &one, 2); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res2, &res1); ge_equals_ge(&res2, &point); - rustsecp256k1zkp_v0_5_0_ecmult_const(&res1, &point, &negone, 256); - rustsecp256k1zkp_v0_5_0_gej_neg(&res1, &res1); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res2, &res1); + rustsecp256k1zkp_v0_6_0_ecmult_const(&res1, &point, &negone, 256); + rustsecp256k1zkp_v0_6_0_gej_neg(&res1, &res1); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res2, &res1); ge_equals_ge(&res2, &point); } void ecmult_const_chain_multiply(void) { /* Check known result (randomly generated test problem from sage) */ - const rustsecp256k1zkp_v0_5_0_scalar scalar = SECP256K1_SCALAR_CONST( + const rustsecp256k1zkp_v0_6_0_scalar scalar = SECP256K1_SCALAR_CONST( 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b ); - const rustsecp256k1zkp_v0_5_0_gej expected_point = SECP256K1_GEJ_CONST( + const rustsecp256k1zkp_v0_6_0_gej expected_point = SECP256K1_GEJ_CONST( 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 ); - rustsecp256k1zkp_v0_5_0_gej point; - rustsecp256k1zkp_v0_5_0_ge res; + rustsecp256k1zkp_v0_6_0_gej point; + rustsecp256k1zkp_v0_6_0_ge res; int i; - rustsecp256k1zkp_v0_5_0_gej_set_ge(&point, &rustsecp256k1zkp_v0_5_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&point, &rustsecp256k1zkp_v0_6_0_ge_const_g); for (i = 0; i < 100; ++i) { - rustsecp256k1zkp_v0_5_0_ge tmp; - rustsecp256k1zkp_v0_5_0_ge_set_gej(&tmp, &point); - rustsecp256k1zkp_v0_5_0_ecmult_const(&point, &tmp, &scalar, 256); + rustsecp256k1zkp_v0_6_0_ge tmp; + rustsecp256k1zkp_v0_6_0_ge_set_gej(&tmp, &point); + rustsecp256k1zkp_v0_6_0_ecmult_const(&point, &tmp, &scalar, 256); } - rustsecp256k1zkp_v0_5_0_ge_set_gej(&res, &point); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&res, &point); ge_equals_gej(&res, &expected_point); } @@ -3016,18 +3857,18 @@ void run_ecmult_const_tests(void) { } typedef struct { - rustsecp256k1zkp_v0_5_0_scalar *sc; - rustsecp256k1zkp_v0_5_0_ge *pt; + rustsecp256k1zkp_v0_6_0_scalar *sc; + rustsecp256k1zkp_v0_6_0_ge *pt; } ecmult_multi_data; -static int ecmult_multi_callback(rustsecp256k1zkp_v0_5_0_scalar *sc, rustsecp256k1zkp_v0_5_0_ge *pt, size_t idx, void *cbdata) { +static int ecmult_multi_callback(rustsecp256k1zkp_v0_6_0_scalar *sc, rustsecp256k1zkp_v0_6_0_ge *pt, size_t idx, void *cbdata) { ecmult_multi_data *data = (ecmult_multi_data*) cbdata; *sc = data->sc[idx]; *pt = data->pt[idx]; return 1; } -static int ecmult_multi_false_callback(rustsecp256k1zkp_v0_5_0_scalar *sc, rustsecp256k1zkp_v0_5_0_ge *pt, size_t idx, void *cbdata) { +static int ecmult_multi_false_callback(rustsecp256k1zkp_v0_6_0_scalar *sc, rustsecp256k1zkp_v0_6_0_ge *pt, size_t idx, void *cbdata) { (void)sc; (void)pt; (void)idx; @@ -3035,102 +3876,102 @@ static int ecmult_multi_false_callback(rustsecp256k1zkp_v0_5_0_scalar *sc, rusts return 0; } -void test_ecmult_multi(rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zkp_v0_5_0_ecmult_multi_func ecmult_multi) { +void test_ecmult_multi(rustsecp256k1zkp_v0_6_0_scratch *scratch, rustsecp256k1zkp_v0_6_0_ecmult_multi_func ecmult_multi) { int ncount; - rustsecp256k1zkp_v0_5_0_scalar szero; - rustsecp256k1zkp_v0_5_0_scalar sc[32]; - rustsecp256k1zkp_v0_5_0_ge pt[32]; - rustsecp256k1zkp_v0_5_0_gej r; - rustsecp256k1zkp_v0_5_0_gej r2; + rustsecp256k1zkp_v0_6_0_scalar szero; + rustsecp256k1zkp_v0_6_0_scalar sc[32]; + rustsecp256k1zkp_v0_6_0_ge pt[32]; + rustsecp256k1zkp_v0_6_0_gej r; + rustsecp256k1zkp_v0_6_0_gej r2; ecmult_multi_data data; data.sc = sc; data.pt = pt; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&szero, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&szero, 0); /* No points to multiply */ CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0)); /* Check 1- and 2-point multiplies against ecmult */ for (ncount = 0; ncount < count; ncount++) { - rustsecp256k1zkp_v0_5_0_ge ptg; - rustsecp256k1zkp_v0_5_0_gej ptgj; + rustsecp256k1zkp_v0_6_0_ge ptg; + rustsecp256k1zkp_v0_6_0_gej ptgj; random_scalar_order(&sc[0]); random_scalar_order(&sc[1]); random_group_element_test(&ptg); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&ptgj, &ptg); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&ptgj, &ptg); pt[0] = ptg; - pt[1] = rustsecp256k1zkp_v0_5_0_ge_const_g; + pt[1] = rustsecp256k1zkp_v0_6_0_ge_const_g; /* only G scalar */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0)); - rustsecp256k1zkp_v0_5_0_gej_neg(&r2, &r2); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_gej_neg(&r2, &r2); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); /* 1-point */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1)); - rustsecp256k1zkp_v0_5_0_gej_neg(&r2, &r2); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_gej_neg(&r2, &r2); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); /* Try to multiply 1 point, but callback returns false */ CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1)); /* 2-point */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2)); - rustsecp256k1zkp_v0_5_0_gej_neg(&r2, &r2); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_gej_neg(&r2, &r2); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); /* 2-point with G scalar */ - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1)); - rustsecp256k1zkp_v0_5_0_gej_neg(&r2, &r2); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_gej_neg(&r2, &r2); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } /* Check infinite outputs of various forms */ for (ncount = 0; ncount < count; ncount++) { - rustsecp256k1zkp_v0_5_0_ge ptg; + rustsecp256k1zkp_v0_6_0_ge ptg; size_t i, j; size_t sizes[] = { 2, 10, 32 }; for (j = 0; j < 3; j++) { for (i = 0; i < 32; i++) { random_scalar_order(&sc[i]); - rustsecp256k1zkp_v0_5_0_ge_set_infinity(&pt[i]); + rustsecp256k1zkp_v0_6_0_ge_set_infinity(&pt[i]); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } for (j = 0; j < 3; j++) { for (i = 0; i < 32; i++) { random_group_element_test(&ptg); pt[i] = ptg; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sc[i], 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sc[i], 0); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } for (j = 0; j < 3; j++) { random_group_element_test(&ptg); for (i = 0; i < 16; i++) { random_scalar_order(&sc[2*i]); - rustsecp256k1zkp_v0_5_0_scalar_negate(&sc[2*i + 1], &sc[2*i]); + rustsecp256k1zkp_v0_6_0_scalar_negate(&sc[2*i + 1], &sc[2*i]); pt[2 * i] = ptg; pt[2 * i + 1] = ptg; } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); random_scalar_order(&sc[0]); for (i = 0; i < 16; i++) { @@ -3139,70 +3980,70 @@ void test_ecmult_multi(rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zk sc[2*i] = sc[0]; sc[2*i+1] = sc[0]; pt[2 * i] = ptg; - rustsecp256k1zkp_v0_5_0_ge_neg(&pt[2*i+1], &pt[2*i]); + rustsecp256k1zkp_v0_6_0_ge_neg(&pt[2*i+1], &pt[2*i]); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } random_group_element_test(&ptg); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sc[0], 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sc[0], 0); pt[0] = ptg; for (i = 1; i < 32; i++) { pt[i] = ptg; random_scalar_order(&sc[i]); - rustsecp256k1zkp_v0_5_0_scalar_add(&sc[0], &sc[0], &sc[i]); - rustsecp256k1zkp_v0_5_0_scalar_negate(&sc[i], &sc[i]); + rustsecp256k1zkp_v0_6_0_scalar_add(&sc[0], &sc[0], &sc[i]); + rustsecp256k1zkp_v0_6_0_scalar_negate(&sc[i], &sc[i]); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32)); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } /* Check random points, constant scalar */ for (ncount = 0; ncount < count; ncount++) { size_t i; - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&r); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&r); random_scalar_order(&sc[0]); for (i = 0; i < 20; i++) { - rustsecp256k1zkp_v0_5_0_ge ptg; + rustsecp256k1zkp_v0_6_0_ge ptg; sc[i] = sc[0]; random_group_element_test(&ptg); pt[i] = ptg; - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&r, &r, &pt[i], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&r, &r, &pt[i], NULL); } - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); - rustsecp256k1zkp_v0_5_0_gej_neg(&r2, &r2); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_gej_neg(&r2, &r2); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } /* Check random scalars, constant point */ for (ncount = 0; ncount < count; ncount++) { size_t i; - rustsecp256k1zkp_v0_5_0_ge ptg; - rustsecp256k1zkp_v0_5_0_gej p0j; - rustsecp256k1zkp_v0_5_0_scalar rs; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&rs, 0); + rustsecp256k1zkp_v0_6_0_ge ptg; + rustsecp256k1zkp_v0_6_0_gej p0j; + rustsecp256k1zkp_v0_6_0_scalar rs; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&rs, 0); random_group_element_test(&ptg); for (i = 0; i < 20; i++) { random_scalar_order(&sc[i]); pt[i] = ptg; - rustsecp256k1zkp_v0_5_0_scalar_add(&rs, &rs, &sc[i]); + rustsecp256k1zkp_v0_6_0_scalar_add(&rs, &rs, &sc[i]); } - rustsecp256k1zkp_v0_5_0_gej_set_ge(&p0j, &pt[0]); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&p0j, &pt[0]); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); - rustsecp256k1zkp_v0_5_0_gej_neg(&r2, &r2); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_gej_neg(&r2, &r2); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } /* Sanity check that zero scalars don't cause problems */ @@ -3211,62 +4052,62 @@ void test_ecmult_multi(rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zk random_group_element_test(&pt[ncount]); } - rustsecp256k1zkp_v0_5_0_scalar_clear(&sc[0]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sc[0]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sc[1]); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sc[2]); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sc[3]); - rustsecp256k1zkp_v0_5_0_scalar_clear(&sc[4]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sc[1]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sc[2]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sc[3]); + rustsecp256k1zkp_v0_6_0_scalar_clear(&sc[4]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6)); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5)); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */ { const size_t TOP = 8; size_t s0i, s1i; size_t t0i, t1i; - rustsecp256k1zkp_v0_5_0_ge ptg; - rustsecp256k1zkp_v0_5_0_gej ptgj; + rustsecp256k1zkp_v0_6_0_ge ptg; + rustsecp256k1zkp_v0_6_0_gej ptgj; random_group_element_test(&ptg); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&ptgj, &ptg); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&ptgj, &ptg); for(t0i = 0; t0i < TOP; t0i++) { for(t1i = 0; t1i < TOP; t1i++) { - rustsecp256k1zkp_v0_5_0_gej t0p, t1p; - rustsecp256k1zkp_v0_5_0_scalar t0, t1; + rustsecp256k1zkp_v0_6_0_gej t0p, t1p; + rustsecp256k1zkp_v0_6_0_scalar t0, t1; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t0, (t0i + 1) / 2); - rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&t0, t0i & 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t1, (t1i + 1) / 2); - rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&t1, t1i & 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t0, (t0i + 1) / 2); + rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&t0, t0i & 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t1, (t1i + 1) / 2); + rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&t1, t1i & 1); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero); for(s0i = 0; s0i < TOP; s0i++) { for(s1i = 0; s1i < TOP; s1i++) { - rustsecp256k1zkp_v0_5_0_scalar tmp1, tmp2; - rustsecp256k1zkp_v0_5_0_gej expected, actual; + rustsecp256k1zkp_v0_6_0_scalar tmp1, tmp2; + rustsecp256k1zkp_v0_6_0_gej expected, actual; - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pt[0], &t0p); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pt[1], &t1p); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pt[0], &t0p); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pt[1], &t1p); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sc[0], (s0i + 1) / 2); - rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&sc[0], s0i & 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sc[1], (s1i + 1) / 2); - rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&sc[1], s1i & 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sc[0], (s0i + 1) / 2); + rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&sc[0], s0i & 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sc[1], (s1i + 1) / 2); + rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&sc[1], s1i & 1); - rustsecp256k1zkp_v0_5_0_scalar_mul(&tmp1, &t0, &sc[0]); - rustsecp256k1zkp_v0_5_0_scalar_mul(&tmp2, &t1, &sc[1]); - rustsecp256k1zkp_v0_5_0_scalar_add(&tmp1, &tmp1, &tmp2); + rustsecp256k1zkp_v0_6_0_scalar_mul(&tmp1, &t0, &sc[0]); + rustsecp256k1zkp_v0_6_0_scalar_mul(&tmp2, &t1, &sc[1]); + rustsecp256k1zkp_v0_6_0_scalar_add(&tmp1, &tmp1, &tmp2); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2)); - rustsecp256k1zkp_v0_5_0_gej_neg(&expected, &expected); - rustsecp256k1zkp_v0_5_0_gej_add_var(&actual, &actual, &expected, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&actual)); + rustsecp256k1zkp_v0_6_0_gej_neg(&expected, &expected); + rustsecp256k1zkp_v0_6_0_gej_add_var(&actual, &actual, &expected, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&actual)); } } } @@ -3274,38 +4115,38 @@ void test_ecmult_multi(rustsecp256k1zkp_v0_5_0_scratch *scratch, rustsecp256k1zk } } -void test_ecmult_multi_batch_single(rustsecp256k1zkp_v0_5_0_ecmult_multi_func ecmult_multi) { - rustsecp256k1zkp_v0_5_0_scalar szero; - rustsecp256k1zkp_v0_5_0_scalar sc; - rustsecp256k1zkp_v0_5_0_ge pt; - rustsecp256k1zkp_v0_5_0_gej r; +void test_ecmult_multi_batch_single(rustsecp256k1zkp_v0_6_0_ecmult_multi_func ecmult_multi) { + rustsecp256k1zkp_v0_6_0_scalar szero; + rustsecp256k1zkp_v0_6_0_scalar sc; + rustsecp256k1zkp_v0_6_0_ge pt; + rustsecp256k1zkp_v0_6_0_gej r; ecmult_multi_data data; - rustsecp256k1zkp_v0_5_0_scratch *scratch_empty; + rustsecp256k1zkp_v0_6_0_scratch *scratch_empty; random_group_element_test(&pt); random_scalar_order(&sc); data.sc = ≻ data.pt = &pt; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&szero, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&szero, 0); /* Try to multiply 1 point, but scratch space is empty.*/ - scratch_empty = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, 0); + scratch_empty = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, 0); CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1)); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch_empty); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch_empty); } -void test_rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(void) { +void test_rustsecp256k1zkp_v0_6_0_pippenger_bucket_window_inv(void) { int i; - CHECK(rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pippenger_bucket_window_inv(0) == 0); for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) { /* Bucket_window of 8 is not used with endo */ if (i == 8) { continue; } - CHECK(rustsecp256k1zkp_v0_5_0_pippenger_bucket_window(rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(i)) == i); + CHECK(rustsecp256k1zkp_v0_6_0_pippenger_bucket_window(rustsecp256k1zkp_v0_6_0_pippenger_bucket_window_inv(i)) == i); if (i != PIPPENGER_MAX_BUCKET_WINDOW) { - CHECK(rustsecp256k1zkp_v0_5_0_pippenger_bucket_window(rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(i)+1) > i); + CHECK(rustsecp256k1zkp_v0_6_0_pippenger_bucket_window(rustsecp256k1zkp_v0_6_0_pippenger_bucket_window_inv(i)+1) > i); } } } @@ -3315,9 +4156,9 @@ void test_rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(void) { * for a given scratch space. */ void test_ecmult_multi_pippenger_max_points(void) { - size_t scratch_size = rustsecp256k1zkp_v0_5_0_testrand_int(256); - size_t max_size = rustsecp256k1zkp_v0_5_0_pippenger_scratch_size(rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); - rustsecp256k1zkp_v0_5_0_scratch *scratch; + size_t scratch_size = rustsecp256k1zkp_v0_6_0_testrand_int(256); + size_t max_size = rustsecp256k1zkp_v0_6_0_pippenger_scratch_size(rustsecp256k1zkp_v0_6_0_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); + rustsecp256k1zkp_v0_6_0_scratch *scratch; size_t n_points_supported; int bucket_window = 0; @@ -3325,24 +4166,24 @@ void test_ecmult_multi_pippenger_max_points(void) { size_t i; size_t total_alloc; size_t checkpoint; - scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, scratch_size); + scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, scratch_size); CHECK(scratch != NULL); - checkpoint = rustsecp256k1zkp_v0_5_0_scratch_checkpoint(&ctx->error_callback, scratch); - n_points_supported = rustsecp256k1zkp_v0_5_0_pippenger_max_points(&ctx->error_callback, scratch); + checkpoint = rustsecp256k1zkp_v0_6_0_scratch_checkpoint(&ctx->error_callback, scratch); + n_points_supported = rustsecp256k1zkp_v0_6_0_pippenger_max_points(&ctx->error_callback, scratch); if (n_points_supported == 0) { - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); continue; } - bucket_window = rustsecp256k1zkp_v0_5_0_pippenger_bucket_window(n_points_supported); + bucket_window = rustsecp256k1zkp_v0_6_0_pippenger_bucket_window(n_points_supported); /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */ - total_alloc = rustsecp256k1zkp_v0_5_0_pippenger_scratch_size(n_points_supported, bucket_window); + total_alloc = rustsecp256k1zkp_v0_6_0_pippenger_scratch_size(n_points_supported, bucket_window); for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) { - CHECK(rustsecp256k1zkp_v0_5_0_scratch_alloc(&ctx->error_callback, scratch, 1)); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_alloc(&ctx->error_callback, scratch, 1)); total_alloc--; } - CHECK(rustsecp256k1zkp_v0_5_0_scratch_alloc(&ctx->error_callback, scratch, total_alloc)); - rustsecp256k1zkp_v0_5_0_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + CHECK(rustsecp256k1zkp_v0_6_0_scratch_alloc(&ctx->error_callback, scratch, total_alloc)); + rustsecp256k1zkp_v0_6_0_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); } CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW); } @@ -3352,152 +4193,152 @@ void test_ecmult_multi_batch_size_helper(void) { max_n_batch_points = 0; n = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); max_n_batch_points = 1; n = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 0); CHECK(n_batch_points == 0); max_n_batch_points = 2; n = 5; - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 3); CHECK(n_batch_points == 2); max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH; n = ECMULT_MAX_POINTS_PER_BATCH; - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 1); CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH); max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1; n = ECMULT_MAX_POINTS_PER_BATCH + 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 2); CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1); max_n_batch_points = 1; n = SIZE_MAX; - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == SIZE_MAX); CHECK(n_batch_points == 1); max_n_batch_points = 2; n = SIZE_MAX; - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == SIZE_MAX/2 + 1); CHECK(n_batch_points == 2); } /** - * Run rustsecp256k1zkp_v0_5_0_ecmult_multi_var with num points and a scratch space restricted to + * Run rustsecp256k1zkp_v0_6_0_ecmult_multi_var with num points and a scratch space restricted to * 1 <= i <= num points. */ void test_ecmult_multi_batching(void) { static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD; - rustsecp256k1zkp_v0_5_0_scalar scG; - rustsecp256k1zkp_v0_5_0_scalar szero; - rustsecp256k1zkp_v0_5_0_scalar *sc = (rustsecp256k1zkp_v0_5_0_scalar *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_5_0_scalar) * n_points); - rustsecp256k1zkp_v0_5_0_ge *pt = (rustsecp256k1zkp_v0_5_0_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_5_0_ge) * n_points); - rustsecp256k1zkp_v0_5_0_gej r; - rustsecp256k1zkp_v0_5_0_gej r2; + rustsecp256k1zkp_v0_6_0_scalar scG; + rustsecp256k1zkp_v0_6_0_scalar szero; + rustsecp256k1zkp_v0_6_0_scalar *sc = (rustsecp256k1zkp_v0_6_0_scalar *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_6_0_scalar) * n_points); + rustsecp256k1zkp_v0_6_0_ge *pt = (rustsecp256k1zkp_v0_6_0_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1zkp_v0_6_0_ge) * n_points); + rustsecp256k1zkp_v0_6_0_gej r; + rustsecp256k1zkp_v0_6_0_gej r2; ecmult_multi_data data; int i; - rustsecp256k1zkp_v0_5_0_scratch *scratch; + rustsecp256k1zkp_v0_6_0_scratch *scratch; - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&r2); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&szero, 0); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&r2); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&szero, 0); /* Get random scalars and group elements and compute result */ random_scalar_order(&scG); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG); for(i = 0; i < n_points; i++) { - rustsecp256k1zkp_v0_5_0_ge ptg; - rustsecp256k1zkp_v0_5_0_gej ptgj; + rustsecp256k1zkp_v0_6_0_ge ptg; + rustsecp256k1zkp_v0_6_0_gej ptgj; random_group_element_test(&ptg); - rustsecp256k1zkp_v0_5_0_gej_set_ge(&ptgj, &ptg); + rustsecp256k1zkp_v0_6_0_gej_set_ge(&ptgj, &ptg); pt[i] = ptg; random_scalar_order(&sc[i]); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r2, &r2, &ptgj, NULL); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r2, &r2, &ptgj, NULL); } data.sc = sc; data.pt = pt; - rustsecp256k1zkp_v0_5_0_gej_neg(&r2, &r2); + rustsecp256k1zkp_v0_6_0_gej_neg(&r2, &r2); /* Test with empty scratch space. It should compute the correct result using * ecmult_mult_simple algorithm which doesn't require a scratch space. */ - scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); /* Test with space for 1 point in pippenger. That's not enough because * ecmult_multi selects strauss which requires more memory. It should * therefore select the simple algorithm. */ - scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, rustsecp256k1zkp_v0_5_0_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, rustsecp256k1zkp_v0_6_0_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); for(i = 1; i <= n_points; i++) { if (i > ECMULT_PIPPENGER_THRESHOLD) { - int bucket_window = rustsecp256k1zkp_v0_5_0_pippenger_bucket_window(i); - size_t scratch_size = rustsecp256k1zkp_v0_5_0_pippenger_scratch_size(i, bucket_window); - scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); + int bucket_window = rustsecp256k1zkp_v0_6_0_pippenger_bucket_window(i); + size_t scratch_size = rustsecp256k1zkp_v0_6_0_pippenger_scratch_size(i, bucket_window); + scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); } else { - size_t scratch_size = rustsecp256k1zkp_v0_5_0_strauss_scratch_size(i); - scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); + size_t scratch_size = rustsecp256k1zkp_v0_6_0_strauss_scratch_size(i); + scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); } - CHECK(rustsecp256k1zkp_v0_5_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); - rustsecp256k1zkp_v0_5_0_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + CHECK(rustsecp256k1zkp_v0_6_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); + rustsecp256k1zkp_v0_6_0_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); } free(sc); free(pt); } void run_ecmult_multi_tests(void) { - rustsecp256k1zkp_v0_5_0_scratch *scratch; + rustsecp256k1zkp_v0_6_0_scratch *scratch; - test_rustsecp256k1zkp_v0_5_0_pippenger_bucket_window_inv(); + test_rustsecp256k1zkp_v0_6_0_pippenger_bucket_window_inv(); test_ecmult_multi_pippenger_max_points(); - scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, 819200); - test_ecmult_multi(scratch, rustsecp256k1zkp_v0_5_0_ecmult_multi_var); - test_ecmult_multi(NULL, rustsecp256k1zkp_v0_5_0_ecmult_multi_var); - test_ecmult_multi(scratch, rustsecp256k1zkp_v0_5_0_ecmult_pippenger_batch_single); - test_ecmult_multi_batch_single(rustsecp256k1zkp_v0_5_0_ecmult_pippenger_batch_single); - test_ecmult_multi(scratch, rustsecp256k1zkp_v0_5_0_ecmult_strauss_batch_single); - test_ecmult_multi_batch_single(rustsecp256k1zkp_v0_5_0_ecmult_strauss_batch_single); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, 819200); + test_ecmult_multi(scratch, rustsecp256k1zkp_v0_6_0_ecmult_multi_var); + test_ecmult_multi(NULL, rustsecp256k1zkp_v0_6_0_ecmult_multi_var); + test_ecmult_multi(scratch, rustsecp256k1zkp_v0_6_0_ecmult_pippenger_batch_single); + test_ecmult_multi_batch_single(rustsecp256k1zkp_v0_6_0_ecmult_pippenger_batch_single); + test_ecmult_multi(scratch, rustsecp256k1zkp_v0_6_0_ecmult_strauss_batch_single); + test_ecmult_multi_batch_single(rustsecp256k1zkp_v0_6_0_ecmult_strauss_batch_single); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); /* Run test_ecmult_multi with space for exactly one point */ - scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, rustsecp256k1zkp_v0_5_0_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); - test_ecmult_multi(scratch, rustsecp256k1zkp_v0_5_0_ecmult_multi_var); - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, rustsecp256k1zkp_v0_6_0_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); + test_ecmult_multi(scratch, rustsecp256k1zkp_v0_6_0_ecmult_multi_var); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); test_ecmult_multi_batch_size_helper(); test_ecmult_multi_batching(); } -void test_wnaf(const rustsecp256k1zkp_v0_5_0_scalar *number, int w) { - rustsecp256k1zkp_v0_5_0_scalar x, two, t; +void test_wnaf(const rustsecp256k1zkp_v0_6_0_scalar *number, int w) { + rustsecp256k1zkp_v0_6_0_scalar x, two, t; int wnaf[256]; int zeroes = -1; int i; int bits; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&x, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&two, 2); - bits = rustsecp256k1zkp_v0_5_0_ecmult_wnaf(wnaf, 256, number, w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&x, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&two, 2); + bits = rustsecp256k1zkp_v0_6_0_ecmult_wnaf(wnaf, 256, number, w); CHECK(bits <= 256); for (i = bits-1; i >= 0; i--) { int v = wnaf[i]; - rustsecp256k1zkp_v0_5_0_scalar_mul(&x, &x, &two); + rustsecp256k1zkp_v0_6_0_scalar_mul(&x, &x, &two); if (v) { CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ zeroes=0; @@ -3509,104 +4350,104 @@ void test_wnaf(const rustsecp256k1zkp_v0_5_0_scalar *number, int w) { zeroes++; } if (v >= 0) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t, v); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t, v); } else { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t, -v); - rustsecp256k1zkp_v0_5_0_scalar_negate(&t, &t); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t, -v); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t, &t); } - rustsecp256k1zkp_v0_5_0_scalar_add(&x, &x, &t); + rustsecp256k1zkp_v0_6_0_scalar_add(&x, &x, &t); } - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&x, number)); /* check that wnaf represents number */ + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&x, number)); /* check that wnaf represents number */ } -void test_constant_wnaf_negate(const rustsecp256k1zkp_v0_5_0_scalar *number) { - rustsecp256k1zkp_v0_5_0_scalar neg1 = *number; - rustsecp256k1zkp_v0_5_0_scalar neg2 = *number; +void test_constant_wnaf_negate(const rustsecp256k1zkp_v0_6_0_scalar *number) { + rustsecp256k1zkp_v0_6_0_scalar neg1 = *number; + rustsecp256k1zkp_v0_6_0_scalar neg2 = *number; int sign1 = 1; int sign2 = 1; - if (!rustsecp256k1zkp_v0_5_0_scalar_get_bits(&neg1, 0, 1)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&neg1, &neg1); + if (!rustsecp256k1zkp_v0_6_0_scalar_get_bits(&neg1, 0, 1)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&neg1, &neg1); sign1 = -1; } - sign2 = rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&neg2, rustsecp256k1zkp_v0_5_0_scalar_is_even(&neg2)); + sign2 = rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&neg2, rustsecp256k1zkp_v0_6_0_scalar_is_even(&neg2)); CHECK(sign1 == sign2); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&neg1, &neg2)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&neg1, &neg2)); } -void test_constant_wnaf(const rustsecp256k1zkp_v0_5_0_scalar *number, int w) { - rustsecp256k1zkp_v0_5_0_scalar x, shift; +void test_constant_wnaf(const rustsecp256k1zkp_v0_6_0_scalar *number, int w) { + rustsecp256k1zkp_v0_6_0_scalar x, shift; int wnaf[256] = {0}; int i; int skew; int bits = 256; - rustsecp256k1zkp_v0_5_0_scalar num = *number; - rustsecp256k1zkp_v0_5_0_scalar scalar_skew; + rustsecp256k1zkp_v0_6_0_scalar num = *number; + rustsecp256k1zkp_v0_6_0_scalar scalar_skew; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&x, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&shift, 1 << w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&x, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&shift, 1 << w); for (i = 0; i < 16; ++i) { - rustsecp256k1zkp_v0_5_0_scalar_shr_int(&num, 8); + rustsecp256k1zkp_v0_6_0_scalar_shr_int(&num, 8); } bits = 128; - skew = rustsecp256k1zkp_v0_5_0_wnaf_const(wnaf, &num, w, bits); + skew = rustsecp256k1zkp_v0_6_0_wnaf_const(wnaf, &num, w, bits); for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) { - rustsecp256k1zkp_v0_5_0_scalar t; + rustsecp256k1zkp_v0_6_0_scalar t; int v = wnaf[i]; CHECK(v != 0); /* check nonzero */ CHECK(v & 1); /* check parity */ CHECK(v > -(1 << w)); /* check range above */ CHECK(v < (1 << w)); /* check range below */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&x, &x, &shift); + rustsecp256k1zkp_v0_6_0_scalar_mul(&x, &x, &shift); if (v >= 0) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t, v); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t, v); } else { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t, -v); - rustsecp256k1zkp_v0_5_0_scalar_negate(&t, &t); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t, -v); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t, &t); } - rustsecp256k1zkp_v0_5_0_scalar_add(&x, &x, &t); + rustsecp256k1zkp_v0_6_0_scalar_add(&x, &x, &t); } /* Skew num because when encoding numbers as odd we use an offset */ - rustsecp256k1zkp_v0_5_0_scalar_set_int(&scalar_skew, 1 << (skew == 2)); - rustsecp256k1zkp_v0_5_0_scalar_add(&num, &num, &scalar_skew); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&x, &num)); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&scalar_skew, 1 << (skew == 2)); + rustsecp256k1zkp_v0_6_0_scalar_add(&num, &num, &scalar_skew); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&x, &num)); } -void test_fixed_wnaf(const rustsecp256k1zkp_v0_5_0_scalar *number, int w) { - rustsecp256k1zkp_v0_5_0_scalar x, shift; +void test_fixed_wnaf(const rustsecp256k1zkp_v0_6_0_scalar *number, int w) { + rustsecp256k1zkp_v0_6_0_scalar x, shift; int wnaf[256] = {0}; int i; int skew; - rustsecp256k1zkp_v0_5_0_scalar num = *number; + rustsecp256k1zkp_v0_6_0_scalar num = *number; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&x, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&shift, 1 << w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&x, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&shift, 1 << w); for (i = 0; i < 16; ++i) { - rustsecp256k1zkp_v0_5_0_scalar_shr_int(&num, 8); + rustsecp256k1zkp_v0_6_0_scalar_shr_int(&num, 8); } - skew = rustsecp256k1zkp_v0_5_0_wnaf_fixed(wnaf, &num, w); + skew = rustsecp256k1zkp_v0_6_0_wnaf_fixed(wnaf, &num, w); for (i = WNAF_SIZE(w)-1; i >= 0; --i) { - rustsecp256k1zkp_v0_5_0_scalar t; + rustsecp256k1zkp_v0_6_0_scalar t; int v = wnaf[i]; CHECK(v == 0 || v & 1); /* check parity */ CHECK(v > -(1 << w)); /* check range above */ CHECK(v < (1 << w)); /* check range below */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&x, &x, &shift); + rustsecp256k1zkp_v0_6_0_scalar_mul(&x, &x, &shift); if (v >= 0) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t, v); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t, v); } else { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&t, -v); - rustsecp256k1zkp_v0_5_0_scalar_negate(&t, &t); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&t, -v); + rustsecp256k1zkp_v0_6_0_scalar_negate(&t, &t); } - rustsecp256k1zkp_v0_5_0_scalar_add(&x, &x, &t); + rustsecp256k1zkp_v0_6_0_scalar_add(&x, &x, &t); } /* If skew is 1 then add 1 to num */ - rustsecp256k1zkp_v0_5_0_scalar_cadd_bit(&num, 0, skew == 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&x, &num)); + rustsecp256k1zkp_v0_6_0_scalar_cadd_bit(&num, 0, skew == 1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&x, &num)); } /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the @@ -3626,18 +4467,18 @@ void test_fixed_wnaf_small(void) { int wnaf[256] = {0}; int i; int skew; - rustsecp256k1zkp_v0_5_0_scalar num; + rustsecp256k1zkp_v0_6_0_scalar num; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&num, 0); - skew = rustsecp256k1zkp_v0_5_0_wnaf_fixed(wnaf, &num, w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&num, 0); + skew = rustsecp256k1zkp_v0_6_0_wnaf_fixed(wnaf, &num, w); for (i = WNAF_SIZE(w)-1; i >= 0; --i) { int v = wnaf[i]; CHECK(v == 0); } CHECK(skew == 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&num, 1); - skew = rustsecp256k1zkp_v0_5_0_wnaf_fixed(wnaf, &num, w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&num, 1); + skew = rustsecp256k1zkp_v0_6_0_wnaf_fixed(wnaf, &num, w); for (i = WNAF_SIZE(w)-1; i >= 1; --i) { int v = wnaf[i]; CHECK(v == 0); @@ -3647,29 +4488,29 @@ void test_fixed_wnaf_small(void) { { int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf }; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&num, 0xffffffff); - skew = rustsecp256k1zkp_v0_5_0_wnaf_fixed(wnaf, &num, w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&num, 0xffffffff); + skew = rustsecp256k1zkp_v0_6_0_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 0); } { int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf }; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&num, 0xeeeeeeee); - skew = rustsecp256k1zkp_v0_5_0_wnaf_fixed(wnaf, &num, w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&num, 0xeeeeeeee); + skew = rustsecp256k1zkp_v0_6_0_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 1); } { int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 }; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&num, 0x01010101); - skew = rustsecp256k1zkp_v0_5_0_wnaf_fixed(wnaf, &num, w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&num, 0x01010101); + skew = rustsecp256k1zkp_v0_6_0_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 0); } { int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 }; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&num, 0x01ef1ef1); - skew = rustsecp256k1zkp_v0_5_0_wnaf_fixed(wnaf, &num, w); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&num, 0x01ef1ef1); + skew = rustsecp256k1zkp_v0_6_0_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 0); } @@ -3677,7 +4518,7 @@ void test_fixed_wnaf_small(void) { void run_wnaf(void) { int i; - rustsecp256k1zkp_v0_5_0_scalar n = {{0}}; + rustsecp256k1zkp_v0_6_0_scalar n = {{0}}; test_constant_wnaf(&n, 4); /* Sanity check: 1 and 2 are the smallest odd and even numbers and should @@ -3687,21 +4528,21 @@ void run_wnaf(void) { n.d[0] = 2; test_constant_wnaf(&n, 4); /* Test -1, because it's a special case in wnaf_const */ - n = rustsecp256k1zkp_v0_5_0_scalar_one; - rustsecp256k1zkp_v0_5_0_scalar_negate(&n, &n); + n = rustsecp256k1zkp_v0_6_0_scalar_one; + rustsecp256k1zkp_v0_6_0_scalar_negate(&n, &n); test_constant_wnaf(&n, 4); /* Test -2, which may not lead to overflows in wnaf_const */ - rustsecp256k1zkp_v0_5_0_scalar_add(&n, &rustsecp256k1zkp_v0_5_0_scalar_one, &rustsecp256k1zkp_v0_5_0_scalar_one); - rustsecp256k1zkp_v0_5_0_scalar_negate(&n, &n); + rustsecp256k1zkp_v0_6_0_scalar_add(&n, &rustsecp256k1zkp_v0_6_0_scalar_one, &rustsecp256k1zkp_v0_6_0_scalar_one); + rustsecp256k1zkp_v0_6_0_scalar_negate(&n, &n); test_constant_wnaf(&n, 4); /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1 as corner cases of negation handling in wnaf_const */ - rustsecp256k1zkp_v0_5_0_scalar_inverse(&n, &n); + rustsecp256k1zkp_v0_6_0_scalar_inverse(&n, &n); test_constant_wnaf(&n, 4); - rustsecp256k1zkp_v0_5_0_scalar_add(&n, &n, &rustsecp256k1zkp_v0_5_0_scalar_one); + rustsecp256k1zkp_v0_6_0_scalar_add(&n, &n, &rustsecp256k1zkp_v0_6_0_scalar_one); test_constant_wnaf(&n, 4); /* Test 0 for fixed wnaf */ @@ -3714,43 +4555,43 @@ void run_wnaf(void) { test_constant_wnaf(&n, 4 + (i % 10)); test_fixed_wnaf(&n, 4 + (i % 10)); } - rustsecp256k1zkp_v0_5_0_scalar_set_int(&n, 0); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&n, 1) == -1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&n)); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_cond_negate(&n, 0) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_is_zero(&n)); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&n, 0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&n, 1) == -1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(&n)); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_cond_negate(&n, 0) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_is_zero(&n)); } void test_ecmult_constants(void) { /* Test ecmult_gen() for [0..36) and [order-36..0). */ - rustsecp256k1zkp_v0_5_0_scalar x; - rustsecp256k1zkp_v0_5_0_gej r; - rustsecp256k1zkp_v0_5_0_ge ng; + rustsecp256k1zkp_v0_6_0_scalar x; + rustsecp256k1zkp_v0_6_0_gej r; + rustsecp256k1zkp_v0_6_0_ge ng; int i; int j; - rustsecp256k1zkp_v0_5_0_ge_neg(&ng, &rustsecp256k1zkp_v0_5_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_ge_neg(&ng, &rustsecp256k1zkp_v0_6_0_ge_const_g); for (i = 0; i < 36; i++ ) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&x, i); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&x, i); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); for (j = 0; j < i; j++) { if (j == i - 1) { - ge_equals_gej(&rustsecp256k1zkp_v0_5_0_ge_const_g, &r); + ge_equals_gej(&rustsecp256k1zkp_v0_6_0_ge_const_g, &r); } - rustsecp256k1zkp_v0_5_0_gej_add_ge(&r, &r, &ng); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&r, &r, &ng); } - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } for (i = 1; i <= 36; i++ ) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&x, i); - rustsecp256k1zkp_v0_5_0_scalar_negate(&x, &x); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&x, i); + rustsecp256k1zkp_v0_6_0_scalar_negate(&x, &x); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); for (j = 0; j < i; j++) { if (j == i - 1) { ge_equals_gej(&ng, &r); } - rustsecp256k1zkp_v0_5_0_gej_add_ge(&r, &r, &rustsecp256k1zkp_v0_5_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&r, &r, &rustsecp256k1zkp_v0_6_0_ge_const_g); } - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&r)); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&r)); } } @@ -3760,36 +4601,36 @@ void run_ecmult_constants(void) { void test_ecmult_gen_blind(void) { /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */ - rustsecp256k1zkp_v0_5_0_scalar key; - rustsecp256k1zkp_v0_5_0_scalar b; + rustsecp256k1zkp_v0_6_0_scalar key; + rustsecp256k1zkp_v0_6_0_scalar b; unsigned char seed32[32]; - rustsecp256k1zkp_v0_5_0_gej pgej; - rustsecp256k1zkp_v0_5_0_gej pgej2; - rustsecp256k1zkp_v0_5_0_gej i; - rustsecp256k1zkp_v0_5_0_ge pge; + rustsecp256k1zkp_v0_6_0_gej pgej; + rustsecp256k1zkp_v0_6_0_gej pgej2; + rustsecp256k1zkp_v0_6_0_gej i; + rustsecp256k1zkp_v0_6_0_ge pge; random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key); - rustsecp256k1zkp_v0_5_0_testrand256(seed32); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key); + rustsecp256k1zkp_v0_6_0_testrand256(seed32); b = ctx->ecmult_gen_ctx.blind; i = ctx->ecmult_gen_ctx.initial; - rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key); + rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); + CHECK(!rustsecp256k1zkp_v0_6_0_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key); CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial)); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pge, &pgej); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pge, &pgej); ge_equals_gej(&pge, &pgej2); } void test_ecmult_gen_blind_reset(void) { /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ - rustsecp256k1zkp_v0_5_0_scalar b; - rustsecp256k1zkp_v0_5_0_gej initial; - rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); + rustsecp256k1zkp_v0_6_0_scalar b; + rustsecp256k1zkp_v0_6_0_gej initial; + rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); b = ctx->ecmult_gen_ctx.blind; initial = ctx->ecmult_gen_ctx.initial; - rustsecp256k1zkp_v0_5_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); + rustsecp256k1zkp_v0_6_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial)); } @@ -3802,46 +4643,46 @@ void run_ecmult_gen_blind(void) { } /***** ENDOMORPHISH TESTS *****/ -void test_scalar_split(const rustsecp256k1zkp_v0_5_0_scalar* full) { - rustsecp256k1zkp_v0_5_0_scalar s, s1, slam; +void test_scalar_split(const rustsecp256k1zkp_v0_6_0_scalar* full) { + rustsecp256k1zkp_v0_6_0_scalar s, s1, slam; const unsigned char zero[32] = {0}; unsigned char tmp[32]; - rustsecp256k1zkp_v0_5_0_scalar_split_lambda(&s1, &slam, full); + rustsecp256k1zkp_v0_6_0_scalar_split_lambda(&s1, &slam, full); /* check slam*lambda + s1 == full */ - rustsecp256k1zkp_v0_5_0_scalar_mul(&s, &rustsecp256k1zkp_v0_5_0_const_lambda, &slam); - rustsecp256k1zkp_v0_5_0_scalar_add(&s, &s, &s1); - CHECK(rustsecp256k1zkp_v0_5_0_scalar_eq(&s, full)); + rustsecp256k1zkp_v0_6_0_scalar_mul(&s, &rustsecp256k1zkp_v0_6_0_const_lambda, &slam); + rustsecp256k1zkp_v0_6_0_scalar_add(&s, &s, &s1); + CHECK(rustsecp256k1zkp_v0_6_0_scalar_eq(&s, full)); /* check that both are <= 128 bits in size */ - if (rustsecp256k1zkp_v0_5_0_scalar_is_high(&s1)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&s1, &s1); + if (rustsecp256k1zkp_v0_6_0_scalar_is_high(&s1)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&s1, &s1); } - if (rustsecp256k1zkp_v0_5_0_scalar_is_high(&slam)) { - rustsecp256k1zkp_v0_5_0_scalar_negate(&slam, &slam); + if (rustsecp256k1zkp_v0_6_0_scalar_is_high(&slam)) { + rustsecp256k1zkp_v0_6_0_scalar_negate(&slam, &slam); } - rustsecp256k1zkp_v0_5_0_scalar_get_b32(tmp, &s1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zero, tmp, 16) == 0); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(tmp, &slam); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zero, tmp, 16) == 0); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(tmp, &s1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zero, tmp, 16) == 0); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(tmp, &slam); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zero, tmp, 16) == 0); } void run_endomorphism_tests(void) { unsigned i; - static rustsecp256k1zkp_v0_5_0_scalar s; - test_scalar_split(&rustsecp256k1zkp_v0_5_0_scalar_zero); - test_scalar_split(&rustsecp256k1zkp_v0_5_0_scalar_one); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s,&rustsecp256k1zkp_v0_5_0_scalar_one); + static rustsecp256k1zkp_v0_6_0_scalar s; + test_scalar_split(&rustsecp256k1zkp_v0_6_0_scalar_zero); + test_scalar_split(&rustsecp256k1zkp_v0_6_0_scalar_one); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s,&rustsecp256k1zkp_v0_6_0_scalar_one); test_scalar_split(&s); - test_scalar_split(&rustsecp256k1zkp_v0_5_0_const_lambda); - rustsecp256k1zkp_v0_5_0_scalar_add(&s, &rustsecp256k1zkp_v0_5_0_const_lambda, &rustsecp256k1zkp_v0_5_0_scalar_one); + test_scalar_split(&rustsecp256k1zkp_v0_6_0_const_lambda); + rustsecp256k1zkp_v0_6_0_scalar_add(&s, &rustsecp256k1zkp_v0_6_0_const_lambda, &rustsecp256k1zkp_v0_6_0_scalar_one); test_scalar_split(&s); for (i = 0; i < 100U * count; ++i) { - rustsecp256k1zkp_v0_5_0_scalar full; + rustsecp256k1zkp_v0_6_0_scalar full; random_scalar_order_test(&full); test_scalar_split(&full); } @@ -3852,12 +4693,12 @@ void run_endomorphism_tests(void) { void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) { unsigned char pubkeyc[65]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_ge ge; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_ge ge; size_t pubkeyclen; int32_t ecount; ecount = 0; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) { /* Smaller sizes are tested exhaustively elsewhere. */ int32_t i; @@ -3883,30 +4724,30 @@ void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvali memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); outl = 65; VG_UNDEF(pubkeyo, 65); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); VG_CHECK(pubkeyo, outl); CHECK(outl == 33); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0); CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0])); if (ypass) { /* This test isn't always done because we decode with alternative signs, so the y won't match. */ CHECK(pubkeyo[0] == ysign); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 1); memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - rustsecp256k1zkp_v0_5_0_pubkey_save(&pubkey, &ge); + rustsecp256k1zkp_v0_6_0_pubkey_save(&pubkey, &ge); VG_CHECK(&pubkey, sizeof(pubkey)); outl = 65; VG_UNDEF(pubkeyo, 65); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); VG_CHECK(pubkeyo, outl); CHECK(outl == 65); CHECK(pubkeyo[0] == 4); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkeyo[1], input, 64) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkeyo[1], input, 64) == 0); } CHECK(ecount == 0); } else { @@ -3914,15 +4755,15 @@ void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvali memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); } } } - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, NULL, NULL); } void run_ec_pubkey_parse_test(void) { @@ -4106,8 +4947,8 @@ void run_ec_pubkey_parse_test(void) { }; unsigned char sout[65]; unsigned char shortkey[2]; - rustsecp256k1zkp_v0_5_0_ge ge; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_ge ge; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; size_t len; int32_t i; int32_t ecount; @@ -4115,16 +4956,16 @@ void run_ec_pubkey_parse_test(void) { ecount = 0; /* Nothing should be reading this far into pubkeyc. */ VG_UNDEF(&pubkeyc[65], 1); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); /* Zero length claimed, fail, zeroize, no illegal arg error. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(shortkey, 2); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* Length one claimed, fail, zeroize, no illegal arg error. */ for (i = 0; i < 256 ; i++) { @@ -4133,10 +4974,10 @@ void run_ec_pubkey_parse_test(void) { shortkey[0] = i; VG_UNDEF(&shortkey[1], 1); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); } /* Length two claimed, fail, zeroize, no illegal arg error. */ @@ -4146,101 +4987,101 @@ void run_ec_pubkey_parse_test(void) { shortkey[0] = i & 255; shortkey[1] = i >> 8; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); } memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0); CHECK(ecount == 2); /* NULL input string. Illegal arg and zeroize output. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 2); /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* Valid parse. */ memset(&pubkey, 0, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(rustsecp256k1zkp_v0_5_0_context_no_precomp, &pubkey, pubkeyc, 65) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(rustsecp256k1zkp_v0_6_0_context_no_precomp, &pubkey, pubkeyc, 65) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); VG_UNDEF(&ge, sizeof(ge)); - CHECK(rustsecp256k1zkp_v0_5_0_pubkey_load(ctx, &ge, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_pubkey_load(ctx, &ge, &pubkey) == 1); VG_CHECK(&ge.x, sizeof(ge.x)); VG_CHECK(&ge.y, sizeof(ge.y)); VG_CHECK(&ge.infinity, sizeof(ge.infinity)); - ge_equals_ge(&rustsecp256k1zkp_v0_5_0_ge_const_g, &ge); + ge_equals_ge(&rustsecp256k1zkp_v0_6_0_ge_const_g, &ge); CHECK(ecount == 0); - /* rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize illegal args. */ + /* rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize illegal args. */ ecount = 0; len = 65; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); CHECK(ecount == 1); CHECK(len == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); CHECK(ecount == 2); len = 65; VG_UNDEF(sout, 65); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0); VG_CHECK(sout, 65); CHECK(ecount == 3); CHECK(len == 0); len = 65; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0); CHECK(ecount == 4); CHECK(len == 0); len = 65; VG_UNDEF(sout, 65); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); VG_CHECK(sout, 65); CHECK(ecount == 4); CHECK(len == 65); /* Multiple illegal args. Should still set arg error only once. */ ecount = 0; ecount2 = 11; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); CHECK(ecount == 1); /* Does the illegal arg callback actually change the behavior? */ - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); CHECK(ecount == 1); CHECK(ecount2 == 10); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, NULL, NULL); /* Try a bunch of prefabbed points with all possible encodings. */ for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) { ec_pubkey_parse_pointtest(valid[i], 1, 1); @@ -4260,253 +5101,253 @@ void run_eckey_edge_case_test(void) { 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 }; - const unsigned char zeros[sizeof(rustsecp256k1zkp_v0_5_0_pubkey)] = {0x00}; + const unsigned char zeros[sizeof(rustsecp256k1zkp_v0_6_0_pubkey)] = {0x00}; unsigned char ctmp[33]; unsigned char ctmp2[33]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_pubkey pubkey2; - rustsecp256k1zkp_v0_5_0_pubkey pubkey_one; - rustsecp256k1zkp_v0_5_0_pubkey pubkey_negone; - const rustsecp256k1zkp_v0_5_0_pubkey *pubkeys[3]; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey2; + rustsecp256k1zkp_v0_6_0_pubkey pubkey_one; + rustsecp256k1zkp_v0_6_0_pubkey pubkey_negone; + const rustsecp256k1zkp_v0_6_0_pubkey *pubkeys[3]; size_t len; int32_t ecount; /* Group order is too large, reject. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, orderc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, orderc) == 0); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, orderc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, orderc) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); /* Maximum value is too large, reject. */ memset(ctmp, 255, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp) == 0); memset(&pubkey, 1, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); /* Zero is too small, reject. */ memset(ctmp, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp) == 0); memset(&pubkey, 1, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); /* One must be accepted. */ ctmp[31] = 0x01; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp) == 1); memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) > 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) > 0); pubkey_one = pubkey; /* Group order + 1 is too large, reject. */ memcpy(ctmp, orderc, 32); ctmp[31] = 0x42; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp) == 0); memset(&pubkey, 1, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); /* -1 must be accepted. */ ctmp[31] = 0x40; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp) == 1); memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) > 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) > 0); pubkey_negone = pubkey; /* Tweak of zero leaves the value unchanged. */ memset(ctmp2, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); memcpy(&pubkey2, &pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); /* Multiply tweak of zero zeroizes the output. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros, ctmp, 32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros, ctmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing seckey, the seckey is zeroized. */ memcpy(ctmp, orderc, 32); memset(ctmp2, 0, 32); ctmp2[31] = 0x01; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros, ctmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros, ctmp, 32) == 0); memcpy(ctmp, orderc, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros, ctmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros, ctmp, 32) == 0); /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing tweak, the seckey is zeroized. */ memcpy(ctmp, orderc, 32); ctmp[31] = 0x40; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros, ctmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros, ctmp, 32) == 0); memcpy(ctmp, orderc, 32); ctmp[31] = 0x40; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros, ctmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros, ctmp, 32) == 0); memcpy(ctmp, orderc, 32); ctmp[31] = 0x40; /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing tweak, the pubkey is zeroized. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); - /* If the resulting key in rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add and - * rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add is 0 the functions fail and in the latter + /* If the resulting key in rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add and + * rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add is 0 the functions fail and in the latter * case the pubkey is zeroized. */ memcpy(ctmp, orderc, 32); ctmp[31] = 0x40; memset(ctmp2, 0, 32); ctmp2[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(zeros, ctmp2, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(zeros, ctmp2, 32) == 0); ctmp2[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); /* Tweak computation wraps and results in a key of 1. */ ctmp2[31] = 2; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); ctmp2[31] = 2; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); ctmp2[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); /* Tweak mul * 2 = 1+1. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); ctmp2[31] = 2; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); /* Test argument errors. */ ecount = 0; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); CHECK(ecount == 0); /* Zeroize pubkey on parse error. */ memset(&pubkey, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); memset(&pubkey2, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0); /* Plain argument errors. */ ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, ctmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, ctmp) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, NULL) == 0); CHECK(ecount == 1); ecount = 0; memset(ctmp2, 0, 32); ctmp2[31] = 4; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0); CHECK(ecount == 2); ecount = 0; memset(ctmp2, 0, 32); ctmp2[31] = 4; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0); CHECK(ecount == 2); ecount = 0; memset(ctmp2, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0); CHECK(ecount == 2); ecount = 0; memset(ctmp2, 0, 32); ctmp2[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0); CHECK(ecount == 2); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, NULL, ctmp) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, NULL, ctmp) == 0); CHECK(ecount == 1); memset(&pubkey, 1, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); - /* rustsecp256k1zkp_v0_5_0_ec_pubkey_combine tests. */ + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); + /* rustsecp256k1zkp_v0_6_0_ec_pubkey_combine tests. */ ecount = 0; pubkeys[0] = &pubkey_one; - VG_UNDEF(&pubkeys[0], sizeof(rustsecp256k1zkp_v0_5_0_pubkey *)); - VG_UNDEF(&pubkeys[1], sizeof(rustsecp256k1zkp_v0_5_0_pubkey *)); - VG_UNDEF(&pubkeys[2], sizeof(rustsecp256k1zkp_v0_5_0_pubkey *)); - memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0); - VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + VG_UNDEF(&pubkeys[0], sizeof(rustsecp256k1zkp_v0_6_0_pubkey *)); + VG_UNDEF(&pubkeys[1], sizeof(rustsecp256k1zkp_v0_6_0_pubkey *)); + VG_UNDEF(&pubkeys[2], sizeof(rustsecp256k1zkp_v0_6_0_pubkey *)); + memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0); + VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); CHECK(ecount == 2); - memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0); - VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0); + VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); CHECK(ecount == 3); pubkeys[0] = &pubkey_negone; - memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1); - VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) > 0); + memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1); + VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) > 0); CHECK(ecount == 3); len = 33; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(ctmp, ctmp2, 33) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(ctmp, ctmp2, 33) == 0); /* Result is infinity. */ pubkeys[0] = &pubkey_one; pubkeys[1] = &pubkey_negone; - memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0); - VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) == 0); + memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0); + VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) == 0); CHECK(ecount == 3); /* Passes through infinity but comes out one. */ pubkeys[2] = &pubkey_one; - memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1); - VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) > 0); + memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1); + VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) > 0); CHECK(ecount == 3); len = 33; - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(ctmp, ctmp2, 33) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(ctmp, ctmp2, 33) == 0); /* Adds to two. */ pubkeys[1] = &pubkey_one; - memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1); - VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)) > 0); + memset(&pubkey, 255, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1); + VG_CHECK(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, zeros, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)) > 0); CHECK(ecount == 3); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, NULL, NULL); } void run_eckey_negate_test(void) { @@ -4517,22 +5358,22 @@ void run_eckey_negate_test(void) { memcpy(seckey_tmp, seckey, 32); /* Verify negation changes the key and changes it back */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, seckey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(seckey, seckey_tmp, 32) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, seckey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(seckey, seckey_tmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, seckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(seckey, seckey_tmp, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, seckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(seckey, seckey_tmp, 32) == 0); /* Check that privkey alias gives same result */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, seckey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_privkey_negate(ctx, seckey_tmp) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(seckey, seckey_tmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, seckey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_privkey_negate(ctx, seckey_tmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(seckey, seckey_tmp, 32) == 0); /* Negating all 0s fails */ memset(seckey, 0, 32); memset(seckey_tmp, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, seckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, seckey) == 0); /* Check that seckey is not modified */ - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(seckey, seckey_tmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(seckey, seckey_tmp, 32) == 0); /* Negating an overflowing seckey fails and the seckey is zeroed. In this * test, the seckey has 16 random bytes to ensure that ec_seckey_negate @@ -4540,38 +5381,40 @@ void run_eckey_negate_test(void) { random_scalar_order_b32(seckey); memset(seckey, 0xFF, 16); memset(seckey_tmp, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, seckey) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(seckey, seckey_tmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, seckey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(seckey, seckey_tmp, 32) == 0); } -void random_sign(rustsecp256k1zkp_v0_5_0_scalar *sigr, rustsecp256k1zkp_v0_5_0_scalar *sigs, const rustsecp256k1zkp_v0_5_0_scalar *key, const rustsecp256k1zkp_v0_5_0_scalar *msg, int *recid) { - rustsecp256k1zkp_v0_5_0_scalar nonce; +void random_sign(rustsecp256k1zkp_v0_6_0_scalar *sigr, rustsecp256k1zkp_v0_6_0_scalar *sigs, const rustsecp256k1zkp_v0_6_0_scalar *key, const rustsecp256k1zkp_v0_6_0_scalar *msg, int *recid) { + rustsecp256k1zkp_v0_6_0_scalar nonce; do { random_scalar_order_test(&nonce); - } while(!rustsecp256k1zkp_v0_5_0_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); + } while(!rustsecp256k1zkp_v0_6_0_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); } void test_ecdsa_sign_verify(void) { - rustsecp256k1zkp_v0_5_0_gej pubj; - rustsecp256k1zkp_v0_5_0_ge pub; - rustsecp256k1zkp_v0_5_0_scalar one; - rustsecp256k1zkp_v0_5_0_scalar msg, key; - rustsecp256k1zkp_v0_5_0_scalar sigr, sigs; - int recid; + rustsecp256k1zkp_v0_6_0_gej pubj; + rustsecp256k1zkp_v0_6_0_ge pub; + rustsecp256k1zkp_v0_6_0_scalar one; + rustsecp256k1zkp_v0_6_0_scalar msg, key; + rustsecp256k1zkp_v0_6_0_scalar sigr, sigs; int getrec; + /* Initialize recid to suppress a false positive -Wconditional-uninitialized in clang. + VG_UNDEF ensures that valgrind will still treat the variable as uninitialized. */ + int recid = -1; VG_UNDEF(&recid, sizeof(recid)); random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&pub, &pubj); - getrec = rustsecp256k1zkp_v0_5_0_testrand_bits(1); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&pub, &pubj); + getrec = rustsecp256k1zkp_v0_6_0_testrand_bits(1); random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL); if (getrec) { CHECK(recid >= 0 && recid < 4); } - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&one, 1); - rustsecp256k1zkp_v0_5_0_scalar_add(&msg, &msg, &one); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&one, 1); + rustsecp256k1zkp_v0_6_0_scalar_add(&msg, &msg, &one); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); } void run_ecdsa_sign_verify(void) { @@ -4628,9 +5471,9 @@ static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); } -int is_empty_signature(const rustsecp256k1zkp_v0_5_0_ecdsa_signature *sig) { - static const unsigned char res[sizeof(rustsecp256k1zkp_v0_5_0_ecdsa_signature)] = {0}; - return rustsecp256k1zkp_v0_5_0_memcmp_var(sig, res, sizeof(rustsecp256k1zkp_v0_5_0_ecdsa_signature)) == 0; +int is_empty_signature(const rustsecp256k1zkp_v0_6_0_ecdsa_signature *sig) { + static const unsigned char res[sizeof(rustsecp256k1zkp_v0_6_0_ecdsa_signature)] = {0}; + return rustsecp256k1zkp_v0_6_0_memcmp_var(sig, res, sizeof(rustsecp256k1zkp_v0_6_0_ecdsa_signature)) == 0; } void test_ecdsa_end_to_end(void) { @@ -4638,191 +5481,191 @@ void test_ecdsa_end_to_end(void) { unsigned char privkey[32]; unsigned char message[32]; unsigned char privkey2[32]; - rustsecp256k1zkp_v0_5_0_ecdsa_signature signature[6]; - rustsecp256k1zkp_v0_5_0_scalar r, s; + rustsecp256k1zkp_v0_6_0_ecdsa_signature signature[6]; + rustsecp256k1zkp_v0_6_0_scalar r, s; unsigned char sig[74]; size_t siglen = 74; unsigned char pubkeyc[65]; size_t pubkeyclen = 65; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; - rustsecp256k1zkp_v0_5_0_pubkey pubkey_tmp; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey_tmp; unsigned char seckey[300]; size_t seckeylen = 300; /* Generate a random key and message. */ { - rustsecp256k1zkp_v0_5_0_scalar msg, key; + rustsecp256k1zkp_v0_6_0_scalar msg, key; random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(privkey, &key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(message, &msg); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(privkey, &key); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(message, &msg); } /* Construct and verify corresponding public key. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, privkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, privkey) == 1); /* Verify exporting and importing public key. */ - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, rustsecp256k1zkp_v0_5_0_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, rustsecp256k1zkp_v0_6_0_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); memset(&pubkey, 0, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); /* Verify negation changes the key and changes it back */ memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); /* Verify private key import and export. */ - CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, rustsecp256k1zkp_v0_5_0_testrand_bits(1) == 1)); + CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, rustsecp256k1zkp_v0_6_0_testrand_bits(1) == 1)); CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(privkey, privkey2, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(privkey, privkey2, 32) == 0); /* Optionally tweak the keys using addition. */ - if (rustsecp256k1zkp_v0_5_0_testrand_int(3) == 0) { + if (rustsecp256k1zkp_v0_6_0_testrand_int(3) == 0) { int ret1; int ret2; int ret3; unsigned char rnd[32]; unsigned char privkey_tmp[32]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey2; - rustsecp256k1zkp_v0_5_0_testrand256_test(rnd); + rustsecp256k1zkp_v0_6_0_pubkey pubkey2; + rustsecp256k1zkp_v0_6_0_testrand256_test(rnd); memcpy(privkey_tmp, privkey, 32); - ret1 = rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, privkey, rnd); - ret2 = rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_add(ctx, &pubkey, rnd); + ret1 = rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, privkey, rnd); + ret2 = rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_add(ctx, &pubkey, rnd); /* Check that privkey alias gives same result */ - ret3 = rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_add(ctx, privkey_tmp, rnd); + ret3 = rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_add(ctx, privkey_tmp, rnd); CHECK(ret1 == ret2); CHECK(ret2 == ret3); if (ret1 == 0) { return; } - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(privkey, privkey_tmp, 32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(privkey, privkey_tmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); } /* Optionally tweak the keys using multiplication. */ - if (rustsecp256k1zkp_v0_5_0_testrand_int(3) == 0) { + if (rustsecp256k1zkp_v0_6_0_testrand_int(3) == 0) { int ret1; int ret2; int ret3; unsigned char rnd[32]; unsigned char privkey_tmp[32]; - rustsecp256k1zkp_v0_5_0_pubkey pubkey2; - rustsecp256k1zkp_v0_5_0_testrand256_test(rnd); + rustsecp256k1zkp_v0_6_0_pubkey pubkey2; + rustsecp256k1zkp_v0_6_0_testrand256_test(rnd); memcpy(privkey_tmp, privkey, 32); - ret1 = rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, privkey, rnd); - ret2 = rustsecp256k1zkp_v0_5_0_ec_pubkey_tweak_mul(ctx, &pubkey, rnd); + ret1 = rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, privkey, rnd); + ret2 = rustsecp256k1zkp_v0_6_0_ec_pubkey_tweak_mul(ctx, &pubkey, rnd); /* Check that privkey alias gives same result */ - ret3 = rustsecp256k1zkp_v0_5_0_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd); + ret3 = rustsecp256k1zkp_v0_6_0_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd); CHECK(ret1 == ret2); CHECK(ret2 == ret3); if (ret1 == 0) { return; } - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(privkey, privkey_tmp, 32) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(privkey, privkey_tmp, 32) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); } /* Sign. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1); extra[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1); extra[31] = 0; extra[0] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0); /* Verify. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1); /* Test lower-S form, malleate, verify and fail, test again, malleate again */ - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(ctx, NULL, &signature[0])); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, &signature[0]); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, &s); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(&signature[5], &r, &s); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(ctx, NULL, &signature[5])); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(ctx, NULL, &signature[5])); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); - rustsecp256k1zkp_v0_5_0_scalar_negate(&s, &s); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(&signature[5], &r, &s); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(ctx, NULL, &signature[5])); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&signature[5], &signature[0], 64) == 0); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(ctx, NULL, &signature[0])); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, &signature[0]); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(&signature[5], &r, &s); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(ctx, NULL, &signature[5])); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(ctx, NULL, &signature[5])); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); + rustsecp256k1zkp_v0_6_0_scalar_negate(&s, &s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(&signature[5], &r, &s); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(ctx, NULL, &signature[5])); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&signature[5], &signature[0], 64) == 0); /* Serialize/parse DER and verify again */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); memset(&signature[0], 0, sizeof(signature[0])); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); /* Serialize/destroy/parse DER and verify again. */ siglen = 74; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); - sig[rustsecp256k1zkp_v0_5_0_testrand_int(siglen)] += 1 + rustsecp256k1zkp_v0_5_0_testrand_int(255); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 || - rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); + sig[rustsecp256k1zkp_v0_6_0_testrand_int(siglen)] += 1 + rustsecp256k1zkp_v0_6_0_testrand_int(255); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 || + rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0); } void test_random_pubkeys(void) { - rustsecp256k1zkp_v0_5_0_ge elem; - rustsecp256k1zkp_v0_5_0_ge elem2; + rustsecp256k1zkp_v0_6_0_ge elem; + rustsecp256k1zkp_v0_6_0_ge elem2; unsigned char in[65]; /* Generate some randomly sized pubkeys. */ - size_t len = rustsecp256k1zkp_v0_5_0_testrand_bits(2) == 0 ? 65 : 33; - if (rustsecp256k1zkp_v0_5_0_testrand_bits(2) == 0) { - len = rustsecp256k1zkp_v0_5_0_testrand_bits(6); + size_t len = rustsecp256k1zkp_v0_6_0_testrand_bits(2) == 0 ? 65 : 33; + if (rustsecp256k1zkp_v0_6_0_testrand_bits(2) == 0) { + len = rustsecp256k1zkp_v0_6_0_testrand_bits(6); } if (len == 65) { - in[0] = rustsecp256k1zkp_v0_5_0_testrand_bits(1) ? 4 : (rustsecp256k1zkp_v0_5_0_testrand_bits(1) ? 6 : 7); + in[0] = rustsecp256k1zkp_v0_6_0_testrand_bits(1) ? 4 : (rustsecp256k1zkp_v0_6_0_testrand_bits(1) ? 6 : 7); } else { - in[0] = rustsecp256k1zkp_v0_5_0_testrand_bits(1) ? 2 : 3; + in[0] = rustsecp256k1zkp_v0_6_0_testrand_bits(1) ? 2 : 3; } - if (rustsecp256k1zkp_v0_5_0_testrand_bits(3) == 0) { - in[0] = rustsecp256k1zkp_v0_5_0_testrand_bits(8); + if (rustsecp256k1zkp_v0_6_0_testrand_bits(3) == 0) { + in[0] = rustsecp256k1zkp_v0_6_0_testrand_bits(8); } if (len > 1) { - rustsecp256k1zkp_v0_5_0_testrand256(&in[1]); + rustsecp256k1zkp_v0_6_0_testrand256(&in[1]); } if (len > 33) { - rustsecp256k1zkp_v0_5_0_testrand256(&in[33]); + rustsecp256k1zkp_v0_6_0_testrand256(&in[33]); } - if (rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&elem, in, len)) { + if (rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&elem, in, len)) { unsigned char out[65]; unsigned char firstb; int res; size_t size = len; firstb = in[0]; /* If the pubkey can be parsed, it should round-trip... */ - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&elem, out, &size, len == 33)); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&elem, out, &size, len == 33)); CHECK(size == len); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&in[1], &out[1], len-1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&in[1], &out[1], len-1) == 0); /* ... except for the type of hybrid inputs. */ if ((in[0] != 6) && (in[0] != 7)) { CHECK(in[0] == out[0]); } size = 65; - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&elem, in, &size, 0)); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&elem, in, &size, 0)); CHECK(size == 65); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&elem2, in, size)); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&elem2, in, size)); ge_equals_ge(&elem,&elem2); /* Check that the X9.62 hybrid type is checked. */ - in[0] = rustsecp256k1zkp_v0_5_0_testrand_bits(1) ? 6 : 7; - res = rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&elem2, in, size); + in[0] = rustsecp256k1zkp_v0_6_0_testrand_bits(1) ? 6 : 7; + res = rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&elem2, in, size); if (firstb == 2 || firstb == 3) { if (in[0] == firstb + 4) { CHECK(res); @@ -4832,12 +5675,61 @@ void test_random_pubkeys(void) { } if (res) { ge_equals_ge(&elem,&elem2); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_serialize(&elem, out, &size, 0)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&in[1], &out[1], 64) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_serialize(&elem, out, &size, 0)); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&in[1], &out[1], 64) == 0); } } } +void run_pubkey_comparison(void) { + unsigned char pk1_ser[33] = { + 0x02, + 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11, + 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23 + }; + const unsigned char pk2_ser[33] = { + 0x02, + 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d, + 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c + }; + rustsecp256k1zkp_v0_6_0_pubkey pk1; + rustsecp256k1zkp_v0_6_0_pubkey pk2; + int32_t ecount = 0; + + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1); + + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, NULL, &pk2) < 0); + CHECK(ecount == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk1, NULL) > 0); + CHECK(ecount == 2); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0); + CHECK(ecount == 2); + { + rustsecp256k1zkp_v0_6_0_pubkey pk_tmp; + memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */ + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0); + CHECK(ecount == 3); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0); + CHECK(ecount == 5); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0); + CHECK(ecount == 6); + } + + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, NULL, NULL); + + /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in + * an uncompressed encoding, these would have the opposite ordering */ + pk1_ser[0] = 3; + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0); +} + void run_random_pubkeys(void) { int i; for (i = 0; i < 10*count; i++) { @@ -4865,13 +5757,13 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ int ret = 0; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig_der; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig_der; unsigned char roundtrip_der[2048]; unsigned char compact_der[64]; size_t len_der = 2048; int parsed_der = 0, valid_der = 0, roundtrips_der = 0; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig_der_lax; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig_der_lax; unsigned char roundtrip_der_lax[2048]; unsigned char compact_der_lax[64]; size_t len_der_lax = 2048; @@ -4886,24 +5778,24 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0; #endif - parsed_der = rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen); + parsed_der = rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen); if (parsed_der) { - ret |= (!rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0; - valid_der = (rustsecp256k1zkp_v0_5_0_memcmp_var(compact_der, zeroes, 32) != 0) && (rustsecp256k1zkp_v0_5_0_memcmp_var(compact_der + 32, zeroes, 32) != 0); + ret |= (!rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0; + valid_der = (rustsecp256k1zkp_v0_6_0_memcmp_var(compact_der, zeroes, 32) != 0) && (rustsecp256k1zkp_v0_6_0_memcmp_var(compact_der + 32, zeroes, 32) != 0); } if (valid_der) { - ret |= (!rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1; - roundtrips_der = (len_der == siglen) && rustsecp256k1zkp_v0_5_0_memcmp_var(roundtrip_der, sig, siglen) == 0; + ret |= (!rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1; + roundtrips_der = (len_der == siglen) && rustsecp256k1zkp_v0_6_0_memcmp_var(roundtrip_der, sig, siglen) == 0; } - parsed_der_lax = rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen); + parsed_der_lax = rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen); if (parsed_der_lax) { - ret |= (!rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10; - valid_der_lax = (rustsecp256k1zkp_v0_5_0_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (rustsecp256k1zkp_v0_5_0_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0); + ret |= (!rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10; + valid_der_lax = (rustsecp256k1zkp_v0_6_0_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (rustsecp256k1zkp_v0_6_0_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0); } if (valid_der_lax) { - ret |= (!rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; - roundtrips_der_lax = (len_der_lax == siglen) && rustsecp256k1zkp_v0_5_0_memcmp_var(roundtrip_der_lax, sig, siglen) == 0; + ret |= (!rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; + roundtrips_der_lax = (len_der_lax == siglen) && rustsecp256k1zkp_v0_6_0_memcmp_var(roundtrip_der_lax, sig, siglen) == 0; } if (certainly_der) { @@ -4919,7 +5811,7 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ if (valid_der) { ret |= (!roundtrips_der_lax) << 12; ret |= (len_der != len_der_lax) << 13; - ret |= ((len_der != len_der_lax) || (rustsecp256k1zkp_v0_5_0_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14; + ret |= ((len_der != len_der_lax) || (rustsecp256k1zkp_v0_6_0_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14; } ret |= (roundtrips_der != roundtrips_der_lax) << 15; if (parsed_der) { @@ -4936,19 +5828,19 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ if (valid_openssl) { unsigned char tmp[32] = {0}; BN_bn2bin(r, tmp + 32 - BN_num_bytes(r)); - valid_openssl = rustsecp256k1zkp_v0_5_0_memcmp_var(tmp, max_scalar, 32) < 0; + valid_openssl = rustsecp256k1zkp_v0_6_0_memcmp_var(tmp, max_scalar, 32) < 0; } if (valid_openssl) { unsigned char tmp[32] = {0}; BN_bn2bin(s, tmp + 32 - BN_num_bytes(s)); - valid_openssl = rustsecp256k1zkp_v0_5_0_memcmp_var(tmp, max_scalar, 32) < 0; + valid_openssl = rustsecp256k1zkp_v0_6_0_memcmp_var(tmp, max_scalar, 32) < 0; } } len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL); if (len_openssl <= 2048) { unsigned char *ptr = roundtrip_openssl; CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl); - roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (rustsecp256k1zkp_v0_5_0_memcmp_var(roundtrip_openssl, sig, siglen) == 0); + roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (rustsecp256k1zkp_v0_6_0_memcmp_var(roundtrip_openssl, sig, siglen) == 0); } else { len_openssl = 0; } @@ -4960,7 +5852,7 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ ret |= (roundtrips_der != roundtrips_openssl) << 7; if (roundtrips_openssl) { ret |= (len_der != (size_t)len_openssl) << 8; - ret |= ((len_der != (size_t)len_openssl) || (rustsecp256k1zkp_v0_5_0_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9; + ret |= ((len_der != (size_t)len_openssl) || (rustsecp256k1zkp_v0_6_0_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9; } #endif return ret; @@ -4980,27 +5872,27 @@ static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) { static void damage_array(unsigned char *sig, size_t *len) { int pos; - int action = rustsecp256k1zkp_v0_5_0_testrand_bits(3); + int action = rustsecp256k1zkp_v0_6_0_testrand_bits(3); if (action < 1 && *len > 3) { /* Delete a byte. */ - pos = rustsecp256k1zkp_v0_5_0_testrand_int(*len); + pos = rustsecp256k1zkp_v0_6_0_testrand_int(*len); memmove(sig + pos, sig + pos + 1, *len - pos - 1); (*len)--; return; } else if (action < 2 && *len < 2048) { /* Insert a byte. */ - pos = rustsecp256k1zkp_v0_5_0_testrand_int(1 + *len); + pos = rustsecp256k1zkp_v0_6_0_testrand_int(1 + *len); memmove(sig + pos + 1, sig + pos, *len - pos); - sig[pos] = rustsecp256k1zkp_v0_5_0_testrand_bits(8); + sig[pos] = rustsecp256k1zkp_v0_6_0_testrand_bits(8); (*len)++; return; } else if (action < 4) { /* Modify a byte. */ - sig[rustsecp256k1zkp_v0_5_0_testrand_int(*len)] += 1 + rustsecp256k1zkp_v0_5_0_testrand_int(255); + sig[rustsecp256k1zkp_v0_6_0_testrand_int(*len)] += 1 + rustsecp256k1zkp_v0_6_0_testrand_int(255); return; } else { /* action < 8 */ /* Modify a bit. */ - sig[rustsecp256k1zkp_v0_5_0_testrand_int(*len)] ^= 1 << rustsecp256k1zkp_v0_5_0_testrand_bits(3); + sig[rustsecp256k1zkp_v0_6_0_testrand_int(*len)] ^= 1 << rustsecp256k1zkp_v0_6_0_testrand_bits(3); return; } } @@ -5013,23 +5905,23 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly int n; *len = 0; - der = rustsecp256k1zkp_v0_5_0_testrand_bits(2) == 0; + der = rustsecp256k1zkp_v0_6_0_testrand_bits(2) == 0; *certainly_der = der; *certainly_not_der = 0; - indet = der ? 0 : rustsecp256k1zkp_v0_5_0_testrand_int(10) == 0; + indet = der ? 0 : rustsecp256k1zkp_v0_6_0_testrand_int(10) == 0; for (n = 0; n < 2; n++) { /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */ - nlow[n] = der ? 1 : (rustsecp256k1zkp_v0_5_0_testrand_bits(3) != 0); + nlow[n] = der ? 1 : (rustsecp256k1zkp_v0_6_0_testrand_bits(3) != 0); /* The length of the number in bytes (the first byte of which will always be nonzero) */ - nlen[n] = nlow[n] ? rustsecp256k1zkp_v0_5_0_testrand_int(33) : 32 + rustsecp256k1zkp_v0_5_0_testrand_int(200) * rustsecp256k1zkp_v0_5_0_testrand_int(8) / 8; + nlen[n] = nlow[n] ? rustsecp256k1zkp_v0_6_0_testrand_int(33) : 32 + rustsecp256k1zkp_v0_6_0_testrand_int(200) * rustsecp256k1zkp_v0_6_0_testrand_int(8) / 8; CHECK(nlen[n] <= 232); /* The top bit of the number. */ - nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : rustsecp256k1zkp_v0_5_0_testrand_bits(1)); + nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : rustsecp256k1zkp_v0_6_0_testrand_bits(1)); /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */ - nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + rustsecp256k1zkp_v0_5_0_testrand_bits(7) : 1 + rustsecp256k1zkp_v0_5_0_testrand_int(127)); + nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + rustsecp256k1zkp_v0_6_0_testrand_bits(7) : 1 + rustsecp256k1zkp_v0_6_0_testrand_int(127)); /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */ - nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? rustsecp256k1zkp_v0_5_0_testrand_int(3) : rustsecp256k1zkp_v0_5_0_testrand_int(300 - nlen[n]) * rustsecp256k1zkp_v0_5_0_testrand_int(8) / 8); + nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? rustsecp256k1zkp_v0_6_0_testrand_int(3) : rustsecp256k1zkp_v0_6_0_testrand_int(300 - nlen[n]) * rustsecp256k1zkp_v0_6_0_testrand_int(8) / 8); if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) { *certainly_not_der = 1; } @@ -5038,7 +5930,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2); if (!der) { /* nlenlen[n] max 127 bytes */ - int add = rustsecp256k1zkp_v0_5_0_testrand_int(127 - nlenlen[n]) * rustsecp256k1zkp_v0_5_0_testrand_int(16) * rustsecp256k1zkp_v0_5_0_testrand_int(16) / 256; + int add = rustsecp256k1zkp_v0_6_0_testrand_int(127 - nlenlen[n]) * rustsecp256k1zkp_v0_6_0_testrand_int(16) * rustsecp256k1zkp_v0_6_0_testrand_int(16) / 256; nlenlen[n] += add; if (add != 0) { *certainly_not_der = 1; @@ -5052,7 +5944,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly CHECK(tlen <= 856); /* The length of the garbage inside the tuple. */ - elen = (der || indet) ? 0 : rustsecp256k1zkp_v0_5_0_testrand_int(980 - tlen) * rustsecp256k1zkp_v0_5_0_testrand_int(8) / 8; + elen = (der || indet) ? 0 : rustsecp256k1zkp_v0_6_0_testrand_int(980 - tlen) * rustsecp256k1zkp_v0_6_0_testrand_int(8) / 8; if (elen != 0) { *certainly_not_der = 1; } @@ -5060,7 +5952,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly CHECK(tlen <= 980); /* The length of the garbage after the end of the tuple. */ - glen = der ? 0 : rustsecp256k1zkp_v0_5_0_testrand_int(990 - tlen) * rustsecp256k1zkp_v0_5_0_testrand_int(8) / 8; + glen = der ? 0 : rustsecp256k1zkp_v0_6_0_testrand_int(990 - tlen) * rustsecp256k1zkp_v0_6_0_testrand_int(8) / 8; if (glen != 0) { *certainly_not_der = 1; } @@ -5075,7 +5967,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly } else { int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2); if (!der) { - int add = rustsecp256k1zkp_v0_5_0_testrand_int(127 - tlenlen) * rustsecp256k1zkp_v0_5_0_testrand_int(16) * rustsecp256k1zkp_v0_5_0_testrand_int(16) / 256; + int add = rustsecp256k1zkp_v0_6_0_testrand_int(127 - tlenlen) * rustsecp256k1zkp_v0_6_0_testrand_int(16) * rustsecp256k1zkp_v0_6_0_testrand_int(16) / 256; tlenlen += add; if (add != 0) { *certainly_not_der = 1; @@ -5126,13 +6018,13 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly nlen[n]--; } /* Generate remaining random bytes of number */ - rustsecp256k1zkp_v0_5_0_testrand_bytes_test(sig + *len, nlen[n]); + rustsecp256k1zkp_v0_6_0_testrand_bytes_test(sig + *len, nlen[n]); *len += nlen[n]; nlen[n] = 0; } /* Generate random garbage inside tuple. */ - rustsecp256k1zkp_v0_5_0_testrand_bytes_test(sig + *len, elen); + rustsecp256k1zkp_v0_6_0_testrand_bytes_test(sig + *len, elen); *len += elen; /* Generate end-of-contents bytes. */ @@ -5144,7 +6036,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly CHECK(tlen + glen <= 1121); /* Generate random garbage outside tuple. */ - rustsecp256k1zkp_v0_5_0_testrand_bytes_test(sig + *len, glen); + rustsecp256k1zkp_v0_6_0_testrand_bytes_test(sig + *len, glen); *len += glen; tlen += glen; CHECK(tlen <= 1121); @@ -5185,22 +6077,22 @@ void run_ecdsa_der_parse(void) { /* Tests several edge cases. */ void test_ecdsa_edge_cases(void) { int t; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; /* Test the case where ECDSA recomputes a point that is infinity. */ { - rustsecp256k1zkp_v0_5_0_gej keyj; - rustsecp256k1zkp_v0_5_0_ge key; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_scalar sr, ss; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 1); - rustsecp256k1zkp_v0_5_0_scalar_negate(&ss, &ss); - rustsecp256k1zkp_v0_5_0_scalar_inverse(&ss, &ss); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sr, 1); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&key, &keyj); + rustsecp256k1zkp_v0_6_0_gej keyj; + rustsecp256k1zkp_v0_6_0_ge key; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_scalar sr, ss; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 1); + rustsecp256k1zkp_v0_6_0_scalar_negate(&ss, &ss); + rustsecp256k1zkp_v0_6_0_scalar_inverse(&ss, &ss); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sr, 1); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&key, &keyj); msg = ss; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Verify signature with r of zero fails. */ @@ -5212,14 +6104,14 @@ void test_ecdsa_edge_cases(void) { 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 }; - rustsecp256k1zkp_v0_5_0_ge key; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_scalar sr, ss; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sr, 0); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + rustsecp256k1zkp_v0_6_0_ge key; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_scalar sr, ss; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sr, 0); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Verify signature with s of zero fails. */ @@ -5231,14 +6123,14 @@ void test_ecdsa_edge_cases(void) { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }; - rustsecp256k1zkp_v0_5_0_ge key; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_scalar sr, ss; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sr, 1); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + rustsecp256k1zkp_v0_6_0_ge key; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_scalar sr, ss; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sr, 1); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Verify signature with message 0 passes. */ @@ -5257,23 +6149,23 @@ void test_ecdsa_edge_cases(void) { 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x43 }; - rustsecp256k1zkp_v0_5_0_ge key; - rustsecp256k1zkp_v0_5_0_ge key2; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_scalar sr, ss; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 2); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg, 0); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sr, 2); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&key2, pubkey2, 33)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1zkp_v0_5_0_scalar_negate(&ss, &ss); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); + rustsecp256k1zkp_v0_6_0_ge key; + rustsecp256k1zkp_v0_6_0_ge key2; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_scalar sr, ss; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 2); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg, 0); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sr, 2); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&key2, pubkey2, 33)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1zkp_v0_6_0_scalar_negate(&ss, &ss); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); } /* Verify signature with message 1 passes. */ @@ -5298,24 +6190,24 @@ void test_ecdsa_edge_cases(void) { 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb }; - rustsecp256k1zkp_v0_5_0_ge key; - rustsecp256k1zkp_v0_5_0_ge key2; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_scalar sr, ss; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg, 1); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sr, csr, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&key2, pubkey2, 33)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1zkp_v0_5_0_scalar_negate(&ss, &ss); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 2); - rustsecp256k1zkp_v0_5_0_scalar_inverse_var(&ss, &ss); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); + rustsecp256k1zkp_v0_6_0_ge key; + rustsecp256k1zkp_v0_6_0_ge key2; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_scalar sr, ss; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg, 1); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sr, csr, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&key2, pubkey2, 33)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1zkp_v0_6_0_scalar_negate(&ss, &ss); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 2); + rustsecp256k1zkp_v0_6_0_scalar_inverse_var(&ss, &ss); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); } /* Verify signature with message -1 passes. */ @@ -5333,25 +6225,25 @@ void test_ecdsa_edge_cases(void) { 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee }; - rustsecp256k1zkp_v0_5_0_ge key; - rustsecp256k1zkp_v0_5_0_scalar msg; - rustsecp256k1zkp_v0_5_0_scalar sr, ss; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg, 1); - rustsecp256k1zkp_v0_5_0_scalar_negate(&msg, &msg); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&sr, csr, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - rustsecp256k1zkp_v0_5_0_scalar_negate(&ss, &ss); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ss, 3); - rustsecp256k1zkp_v0_5_0_scalar_inverse_var(&ss, &ss); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + rustsecp256k1zkp_v0_6_0_ge key; + rustsecp256k1zkp_v0_6_0_scalar msg; + rustsecp256k1zkp_v0_6_0_scalar sr, ss; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg, 1); + rustsecp256k1zkp_v0_6_0_scalar_negate(&msg, &msg); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&sr, csr, NULL); + CHECK(rustsecp256k1zkp_v0_6_0_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + rustsecp256k1zkp_v0_6_0_scalar_negate(&ss, &ss); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ss, 3); + rustsecp256k1zkp_v0_6_0_scalar_inverse_var(&ss, &ss); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Signature where s would be zero. */ { - rustsecp256k1zkp_v0_5_0_pubkey pubkey; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; size_t siglen; int32_t ecount; unsigned char signature[72]; @@ -5380,71 +6272,71 @@ void test_ecdsa_edge_cases(void) { 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, }; ecount = 0; - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); msg[31] = 0xaa; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, key) == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, key) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg, NULL) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); CHECK(ecount == 6); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, NULL) == 0); CHECK(ecount == 7); /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0); CHECK(ecount == 8); siglen = 72; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0); CHECK(ecount == 9); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0); CHECK(ecount == 10); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0); CHECK(ecount == 11); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1); CHECK(ecount == 11); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0); CHECK(ecount == 12); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0); CHECK(ecount == 13); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1); CHECK(ecount == 13); siglen = 10; /* Too little room for a signature does not fail via ARGCHECK. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0); CHECK(ecount == 13); ecount = 0; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_normalize(ctx, NULL, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_normalize(ctx, NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1); CHECK(ecount == 5); memset(signature, 255, 64); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0); CHECK(ecount == 5); - rustsecp256k1zkp_v0_5_0_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1zkp_v0_6_0_context_set_illegal_callback(ctx, NULL, NULL); } /* Nonce function corner cases. */ @@ -5453,43 +6345,43 @@ void test_ecdsa_edge_cases(void) { int i; unsigned char key[32]; unsigned char msg[32]; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig2; - rustsecp256k1zkp_v0_5_0_scalar sr[512], ss; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig2; + rustsecp256k1zkp_v0_6_0_scalar sr[512], ss; const unsigned char *extra; extra = t == 0 ? NULL : zero; memset(msg, 0, 32); msg[31] = 1; /* High key results in signature failure. */ memset(key, 0xFF, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); CHECK(is_empty_signature(&sig)); /* Zero key results in signature failure. */ memset(key, 0, 32); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); CHECK(is_empty_signature(&sig)); /* Nonce function failure results in signature failure. */ key[31] = 1; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0); CHECK(is_empty_signature(&sig)); /* The retry loop successfully makes its way to the first good value. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1); CHECK(!is_empty_signature(&sig)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); CHECK(!is_empty_signature(&sig2)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); /* The default nonce function is deterministic. */ - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); CHECK(!is_empty_signature(&sig2)); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); /* The default nonce function changes output with different messages. */ for(i = 0; i < 256; i++) { int j; msg[0] = i; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); CHECK(!is_empty_signature(&sig2)); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); for (j = 0; j < i; j++) { - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_eq(&sr[i], &sr[j])); + CHECK(!rustsecp256k1zkp_v0_6_0_scalar_eq(&sr[i], &sr[j])); } } msg[0] = 0; @@ -5498,11 +6390,11 @@ void test_ecdsa_edge_cases(void) { for(i = 256; i < 512; i++) { int j; key[0] = i - 256; - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); CHECK(!is_empty_signature(&sig2)); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); for (j = 0; j < i; j++) { - CHECK(!rustsecp256k1zkp_v0_5_0_scalar_eq(&sr[i], &sr[j])); + CHECK(!rustsecp256k1zkp_v0_6_0_scalar_eq(&sr[i], &sr[j])); } } key[0] = 0; @@ -5527,12 +6419,12 @@ void test_ecdsa_edge_cases(void) { VG_CHECK(nonce3,32); CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1); VG_CHECK(nonce4,32); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonce, nonce2, 32) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonce, nonce3, 32) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonce, nonce4, 32) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonce2, nonce3, 32) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonce2, nonce4, 32) != 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(nonce3, nonce4, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonce, nonce2, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonce, nonce3, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonce, nonce4, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonce2, nonce3, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonce2, nonce4, 32) != 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(nonce3, nonce4, 32) != 0); } @@ -5561,7 +6453,7 @@ EC_KEY *get_openssl_key(const unsigned char *key32) { unsigned char privkey[300]; size_t privkeylen; const unsigned char* pbegin = privkey; - int compr = rustsecp256k1zkp_v0_5_0_testrand_bits(1); + int compr = rustsecp256k1zkp_v0_6_0_testrand_bits(1); EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1); CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr)); CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen)); @@ -5570,35 +6462,35 @@ EC_KEY *get_openssl_key(const unsigned char *key32) { } void test_ecdsa_openssl(void) { - rustsecp256k1zkp_v0_5_0_gej qj; - rustsecp256k1zkp_v0_5_0_ge q; - rustsecp256k1zkp_v0_5_0_scalar sigr, sigs; - rustsecp256k1zkp_v0_5_0_scalar one; - rustsecp256k1zkp_v0_5_0_scalar msg2; - rustsecp256k1zkp_v0_5_0_scalar key, msg; + rustsecp256k1zkp_v0_6_0_gej qj; + rustsecp256k1zkp_v0_6_0_ge q; + rustsecp256k1zkp_v0_6_0_scalar sigr, sigs; + rustsecp256k1zkp_v0_6_0_scalar one; + rustsecp256k1zkp_v0_6_0_scalar msg2; + rustsecp256k1zkp_v0_6_0_scalar key, msg; EC_KEY *ec_key; unsigned int sigsize = 80; size_t secp_sigsize = 80; unsigned char message[32]; unsigned char signature[80]; unsigned char key32[32]; - rustsecp256k1zkp_v0_5_0_testrand256_test(message); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(&msg, message, NULL); + rustsecp256k1zkp_v0_6_0_testrand256_test(message); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(&msg, message, NULL); random_scalar_order_test(&key); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(key32, &key); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&q, &qj); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(key32, &key); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&q, &qj); ec_key = get_openssl_key(key32); CHECK(ec_key != NULL); CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize)); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg)); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&one, 1); - rustsecp256k1zkp_v0_5_0_scalar_add(&msg2, &msg, &one); - CHECK(!rustsecp256k1zkp_v0_5_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg)); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&one, 1); + rustsecp256k1zkp_v0_6_0_scalar_add(&msg2, &msg, &one); + CHECK(!rustsecp256k1zkp_v0_6_0_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2)); random_sign(&sigr, &sigs, &key, &msg, NULL); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs)); CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1); EC_KEY_free(ec_key); @@ -5656,166 +6548,166 @@ void run_ecdsa_openssl(void) { #include "modules/ecdsa_adaptor/tests_impl.h" #endif -void run_rustsecp256k1zkp_v0_5_0_memczero_test(void) { +void run_rustsecp256k1zkp_v0_6_0_memczero_test(void) { unsigned char buf1[6] = {1, 2, 3, 4, 5, 6}; unsigned char buf2[sizeof(buf1)]; - /* rustsecp256k1zkp_v0_5_0_memczero(..., ..., 0) is a noop. */ + /* rustsecp256k1zkp_v0_6_0_memczero(..., ..., 0) is a noop. */ memcpy(buf2, buf1, sizeof(buf1)); - rustsecp256k1zkp_v0_5_0_memczero(buf1, sizeof(buf1), 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); + rustsecp256k1zkp_v0_6_0_memczero(buf1, sizeof(buf1), 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); - /* rustsecp256k1zkp_v0_5_0_memczero(..., ..., 1) zeros the buffer. */ + /* rustsecp256k1zkp_v0_6_0_memczero(..., ..., 1) zeros the buffer. */ memset(buf2, 0, sizeof(buf2)); - rustsecp256k1zkp_v0_5_0_memczero(buf1, sizeof(buf1) , 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); + rustsecp256k1zkp_v0_6_0_memczero(buf1, sizeof(buf1) , 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); } void int_cmov_test(void) { int r = INT_MAX; int a = 0; - rustsecp256k1zkp_v0_5_0_int_cmov(&r, &a, 0); + rustsecp256k1zkp_v0_6_0_int_cmov(&r, &a, 0); CHECK(r == INT_MAX); r = 0; a = INT_MAX; - rustsecp256k1zkp_v0_5_0_int_cmov(&r, &a, 1); + rustsecp256k1zkp_v0_6_0_int_cmov(&r, &a, 1); CHECK(r == INT_MAX); a = 0; - rustsecp256k1zkp_v0_5_0_int_cmov(&r, &a, 1); + rustsecp256k1zkp_v0_6_0_int_cmov(&r, &a, 1); CHECK(r == 0); a = 1; - rustsecp256k1zkp_v0_5_0_int_cmov(&r, &a, 1); + rustsecp256k1zkp_v0_6_0_int_cmov(&r, &a, 1); CHECK(r == 1); r = 1; a = 0; - rustsecp256k1zkp_v0_5_0_int_cmov(&r, &a, 0); + rustsecp256k1zkp_v0_6_0_int_cmov(&r, &a, 0); CHECK(r == 1); } void fe_cmov_test(void) { - static const rustsecp256k1zkp_v0_5_0_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0); - static const rustsecp256k1zkp_v0_5_0_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); - static const rustsecp256k1zkp_v0_5_0_fe max = SECP256K1_FE_CONST( + static const rustsecp256k1zkp_v0_6_0_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0); + static const rustsecp256k1zkp_v0_6_0_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); + static const rustsecp256k1zkp_v0_6_0_fe max = SECP256K1_FE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL ); - rustsecp256k1zkp_v0_5_0_fe r = max; - rustsecp256k1zkp_v0_5_0_fe a = zero; + rustsecp256k1zkp_v0_6_0_fe r = max; + rustsecp256k1zkp_v0_6_0_fe a = zero; - rustsecp256k1zkp_v0_5_0_fe_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); r = zero; a = max; - rustsecp256k1zkp_v0_5_0_fe_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); a = zero; - rustsecp256k1zkp_v0_5_0_fe_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &zero, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &zero, sizeof(r)) == 0); a = one; - rustsecp256k1zkp_v0_5_0_fe_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); r = one; a = zero; - rustsecp256k1zkp_v0_5_0_fe_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); } void fe_storage_cmov_test(void) { - static const rustsecp256k1zkp_v0_5_0_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0); - static const rustsecp256k1zkp_v0_5_0_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1); - static const rustsecp256k1zkp_v0_5_0_fe_storage max = SECP256K1_FE_STORAGE_CONST( + static const rustsecp256k1zkp_v0_6_0_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0); + static const rustsecp256k1zkp_v0_6_0_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1); + static const rustsecp256k1zkp_v0_6_0_fe_storage max = SECP256K1_FE_STORAGE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL ); - rustsecp256k1zkp_v0_5_0_fe_storage r = max; - rustsecp256k1zkp_v0_5_0_fe_storage a = zero; + rustsecp256k1zkp_v0_6_0_fe_storage r = max; + rustsecp256k1zkp_v0_6_0_fe_storage a = zero; - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); r = zero; a = max; - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); a = zero; - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &zero, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &zero, sizeof(r)) == 0); a = one; - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); r = one; a = zero; - rustsecp256k1zkp_v0_5_0_fe_storage_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_fe_storage_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); } void scalar_cmov_test(void) { - static const rustsecp256k1zkp_v0_5_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - static const rustsecp256k1zkp_v0_5_0_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); - static const rustsecp256k1zkp_v0_5_0_scalar max = SECP256K1_SCALAR_CONST( + static const rustsecp256k1zkp_v0_6_0_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + static const rustsecp256k1zkp_v0_6_0_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); + static const rustsecp256k1zkp_v0_6_0_scalar max = SECP256K1_SCALAR_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL ); - rustsecp256k1zkp_v0_5_0_scalar r = max; - rustsecp256k1zkp_v0_5_0_scalar a = zero; + rustsecp256k1zkp_v0_6_0_scalar r = max; + rustsecp256k1zkp_v0_6_0_scalar a = zero; - rustsecp256k1zkp_v0_5_0_scalar_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); r = zero; a = max; - rustsecp256k1zkp_v0_5_0_scalar_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); a = zero; - rustsecp256k1zkp_v0_5_0_scalar_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &zero, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &zero, sizeof(r)) == 0); a = one; - rustsecp256k1zkp_v0_5_0_scalar_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); r = one; a = zero; - rustsecp256k1zkp_v0_5_0_scalar_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_scalar_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); } void ge_storage_cmov_test(void) { - static const rustsecp256k1zkp_v0_5_0_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); - static const rustsecp256k1zkp_v0_5_0_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1); - static const rustsecp256k1zkp_v0_5_0_ge_storage max = SECP256K1_GE_STORAGE_CONST( + static const rustsecp256k1zkp_v0_6_0_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); + static const rustsecp256k1zkp_v0_6_0_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1); + static const rustsecp256k1zkp_v0_6_0_ge_storage max = SECP256K1_GE_STORAGE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL ); - rustsecp256k1zkp_v0_5_0_ge_storage r = max; - rustsecp256k1zkp_v0_5_0_ge_storage a = zero; + rustsecp256k1zkp_v0_6_0_ge_storage r = max; + rustsecp256k1zkp_v0_6_0_ge_storage a = zero; - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); r = zero; a = max; - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &max, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &max, sizeof(r)) == 0); a = zero; - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &zero, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &zero, sizeof(r)) == 0); a = one; - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&r, &a, 1); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&r, &a, 1); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); r = one; a = zero; - rustsecp256k1zkp_v0_5_0_ge_storage_cmov(&r, &a, 0); - CHECK(rustsecp256k1zkp_v0_5_0_memcmp_var(&r, &one, sizeof(r)) == 0); + rustsecp256k1zkp_v0_6_0_ge_storage_cmov(&r, &a, 0); + CHECK(rustsecp256k1zkp_v0_6_0_memcmp_var(&r, &one, sizeof(r)) == 0); } void run_cmov_tests(void) { @@ -5840,7 +6732,7 @@ int main(int argc, char **argv) { count = strtol(argv[1], NULL, 0); } else { const char* env = getenv("SECP256K1_TEST_ITERS"); - if (env) { + if (env && strlen(env) > 0) { count = strtol(env, NULL, 0); } } @@ -5851,38 +6743,35 @@ int main(int argc, char **argv) { printf("test count = %i\n", count); /* find random seed */ - rustsecp256k1zkp_v0_5_0_testrand_init(argc > 2 ? argv[2] : NULL); + rustsecp256k1zkp_v0_6_0_testrand_init(argc > 2 ? argv[2] : NULL); /* initialize */ run_context_tests(0); run_context_tests(1); run_scratch_tests(); - ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - if (rustsecp256k1zkp_v0_5_0_testrand_bits(1)) { + ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + if (rustsecp256k1zkp_v0_6_0_testrand_bits(1)) { unsigned char rand32[32]; - rustsecp256k1zkp_v0_5_0_testrand256(rand32); - CHECK(rustsecp256k1zkp_v0_5_0_context_randomize(ctx, rustsecp256k1zkp_v0_5_0_testrand_bits(1) ? rand32 : NULL)); + rustsecp256k1zkp_v0_6_0_testrand256(rand32); + CHECK(rustsecp256k1zkp_v0_6_0_context_randomize(ctx, rustsecp256k1zkp_v0_6_0_testrand_bits(1) ? rand32 : NULL)); } run_rand_bits(); run_rand_int(); run_util_tests(); + run_ctz_tests(); + run_modinv_tests(); + run_inverse_tests(); + run_sha256_tests(); run_hmac_sha256_tests(); run_rfc6979_hmac_sha256_tests(); -#ifndef USE_NUM_NONE - /* num tests */ - run_num_smalltests(); -#endif - /* scalar tests */ run_scalar_tests(); /* field tests */ - run_field_inv(); - run_field_inv_var(); run_field_misc(); run_field_convert(); run_sqr(); @@ -5926,6 +6815,7 @@ int main(int argc, char **argv) { #endif /* ecdsa tests */ + run_pubkey_comparison(); run_random_pubkeys(); run_ecdsa_der_parse(); run_ecdsa_sign_verify(); @@ -5975,14 +6865,14 @@ int main(int argc, char **argv) { #endif /* util tests */ - run_rustsecp256k1zkp_v0_5_0_memczero_test(); + run_rustsecp256k1zkp_v0_6_0_memczero_test(); run_cmov_tests(); - rustsecp256k1zkp_v0_5_0_testrand_finish(); + rustsecp256k1zkp_v0_6_0_testrand_finish(); /* shutdown */ - rustsecp256k1zkp_v0_5_0_context_destroy(ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(ctx); printf("no problems found\n"); return 0; diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/tests_exhaustive.c b/secp256k1-zkp-sys/depend/secp256k1/src/tests_exhaustive.c index 2bfa6210..5bc4ccd5 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/tests_exhaustive.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/tests_exhaustive.c @@ -10,7 +10,6 @@ #include #include - #include #undef USE_ECMULT_STATIC_PRECOMPUTATION @@ -20,46 +19,46 @@ #define EXHAUSTIVE_TEST_ORDER 13 #endif -#include "include/secp256k1.h" +#include "secp256k1.c" +#include "../include/secp256k1.h" #include "assumptions.h" #include "group.h" -#include "secp256k1.c" #include "testrand_impl.h" static int count = 2; /** stolen from tests.c */ -void ge_equals_ge(const rustsecp256k1zkp_v0_5_0_ge *a, const rustsecp256k1zkp_v0_5_0_ge *b) { +void ge_equals_ge(const rustsecp256k1zkp_v0_6_0_ge *a, const rustsecp256k1zkp_v0_6_0_ge *b) { CHECK(a->infinity == b->infinity); if (a->infinity) { return; } - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&a->x, &b->x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&a->y, &b->y)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&a->x, &b->x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&a->y, &b->y)); } -void ge_equals_gej(const rustsecp256k1zkp_v0_5_0_ge *a, const rustsecp256k1zkp_v0_5_0_gej *b) { - rustsecp256k1zkp_v0_5_0_fe z2s; - rustsecp256k1zkp_v0_5_0_fe u1, u2, s1, s2; +void ge_equals_gej(const rustsecp256k1zkp_v0_6_0_ge *a, const rustsecp256k1zkp_v0_6_0_gej *b) { + rustsecp256k1zkp_v0_6_0_fe z2s; + rustsecp256k1zkp_v0_6_0_fe u1, u2, s1, s2; CHECK(a->infinity == b->infinity); if (a->infinity) { return; } /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ - rustsecp256k1zkp_v0_5_0_fe_sqr(&z2s, &b->z); - rustsecp256k1zkp_v0_5_0_fe_mul(&u1, &a->x, &z2s); - u2 = b->x; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&u2); - rustsecp256k1zkp_v0_5_0_fe_mul(&s1, &a->y, &z2s); rustsecp256k1zkp_v0_5_0_fe_mul(&s1, &s1, &b->z); - s2 = b->y; rustsecp256k1zkp_v0_5_0_fe_normalize_weak(&s2); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&u1, &u2)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&s1, &s2)); + rustsecp256k1zkp_v0_6_0_fe_sqr(&z2s, &b->z); + rustsecp256k1zkp_v0_6_0_fe_mul(&u1, &a->x, &z2s); + u2 = b->x; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&u2); + rustsecp256k1zkp_v0_6_0_fe_mul(&s1, &a->y, &z2s); rustsecp256k1zkp_v0_6_0_fe_mul(&s1, &s1, &b->z); + s2 = b->y; rustsecp256k1zkp_v0_6_0_fe_normalize_weak(&s2); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&u1, &u2)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&s1, &s2)); } -void random_fe(rustsecp256k1zkp_v0_5_0_fe *x) { +void random_fe(rustsecp256k1zkp_v0_6_0_fe *x) { unsigned char bin[32]; do { - rustsecp256k1zkp_v0_5_0_testrand256(bin); - if (rustsecp256k1zkp_v0_5_0_fe_set_b32(x, bin)) { + rustsecp256k1zkp_v0_6_0_testrand256(bin); + if (rustsecp256k1zkp_v0_6_0_fe_set_b32(x, bin)) { return; } } while(1); @@ -75,10 +74,10 @@ SECP256K1_INLINE static int skip_section(uint64_t* iter) { return ((((uint32_t)*iter ^ (*iter >> 32)) * num_cores) >> 32) != this_core; } -int rustsecp256k1zkp_v0_5_0_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, +int rustsecp256k1zkp_v0_6_0_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt) { - rustsecp256k1zkp_v0_5_0_scalar s; + rustsecp256k1zkp_v0_6_0_scalar s; int *idata = data; (void)msg32; (void)key32; @@ -90,97 +89,97 @@ int rustsecp256k1zkp_v0_5_0_nonce_function_smallint(unsigned char *nonce32, cons if (attempt > 0) { *idata = (*idata + 1) % EXHAUSTIVE_TEST_ORDER; } - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s, *idata); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(nonce32, &s); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s, *idata); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(nonce32, &s); return 1; } -void test_exhaustive_endomorphism(const rustsecp256k1zkp_v0_5_0_ge *group) { +void test_exhaustive_endomorphism(const rustsecp256k1zkp_v0_6_0_ge *group) { int i; for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) { - rustsecp256k1zkp_v0_5_0_ge res; - rustsecp256k1zkp_v0_5_0_ge_mul_lambda(&res, &group[i]); + rustsecp256k1zkp_v0_6_0_ge res; + rustsecp256k1zkp_v0_6_0_ge_mul_lambda(&res, &group[i]); ge_equals_ge(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res); } } -void test_exhaustive_addition(const rustsecp256k1zkp_v0_5_0_ge *group, const rustsecp256k1zkp_v0_5_0_gej *groupj) { +void test_exhaustive_addition(const rustsecp256k1zkp_v0_6_0_ge *group, const rustsecp256k1zkp_v0_6_0_gej *groupj) { int i, j; uint64_t iter = 0; /* Sanity-check (and check infinity functions) */ - CHECK(rustsecp256k1zkp_v0_5_0_ge_is_infinity(&group[0])); - CHECK(rustsecp256k1zkp_v0_5_0_gej_is_infinity(&groupj[0])); + CHECK(rustsecp256k1zkp_v0_6_0_ge_is_infinity(&group[0])); + CHECK(rustsecp256k1zkp_v0_6_0_gej_is_infinity(&groupj[0])); for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { - CHECK(!rustsecp256k1zkp_v0_5_0_ge_is_infinity(&group[i])); - CHECK(!rustsecp256k1zkp_v0_5_0_gej_is_infinity(&groupj[i])); + CHECK(!rustsecp256k1zkp_v0_6_0_ge_is_infinity(&group[i])); + CHECK(!rustsecp256k1zkp_v0_6_0_gej_is_infinity(&groupj[i])); } /* Check all addition formulae */ for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) { - rustsecp256k1zkp_v0_5_0_fe fe_inv; + rustsecp256k1zkp_v0_6_0_fe fe_inv; if (skip_section(&iter)) continue; - rustsecp256k1zkp_v0_5_0_fe_inv(&fe_inv, &groupj[j].z); + rustsecp256k1zkp_v0_6_0_fe_inv(&fe_inv, &groupj[j].z); for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) { - rustsecp256k1zkp_v0_5_0_ge zless_gej; - rustsecp256k1zkp_v0_5_0_gej tmp; + rustsecp256k1zkp_v0_6_0_ge zless_gej; + rustsecp256k1zkp_v0_6_0_gej tmp; /* add_var */ - rustsecp256k1zkp_v0_5_0_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL); ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp); /* add_ge */ if (j > 0) { - rustsecp256k1zkp_v0_5_0_gej_add_ge(&tmp, &groupj[i], &group[j]); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&tmp, &groupj[i], &group[j]); ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp); } /* add_ge_var */ - rustsecp256k1zkp_v0_5_0_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL); + rustsecp256k1zkp_v0_6_0_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL); ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp); /* add_zinv_var */ zless_gej.infinity = groupj[j].infinity; zless_gej.x = groupj[j].x; zless_gej.y = groupj[j].y; - rustsecp256k1zkp_v0_5_0_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv); + rustsecp256k1zkp_v0_6_0_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv); ge_equals_gej(&group[(i + j) % EXHAUSTIVE_TEST_ORDER], &tmp); } } /* Check doubling */ for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) { - rustsecp256k1zkp_v0_5_0_gej tmp; - rustsecp256k1zkp_v0_5_0_gej_double(&tmp, &groupj[i]); + rustsecp256k1zkp_v0_6_0_gej tmp; + rustsecp256k1zkp_v0_6_0_gej_double(&tmp, &groupj[i]); ge_equals_gej(&group[(2 * i) % EXHAUSTIVE_TEST_ORDER], &tmp); - rustsecp256k1zkp_v0_5_0_gej_double_var(&tmp, &groupj[i], NULL); + rustsecp256k1zkp_v0_6_0_gej_double_var(&tmp, &groupj[i], NULL); ge_equals_gej(&group[(2 * i) % EXHAUSTIVE_TEST_ORDER], &tmp); } /* Check negation */ for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { - rustsecp256k1zkp_v0_5_0_ge tmp; - rustsecp256k1zkp_v0_5_0_gej tmpj; - rustsecp256k1zkp_v0_5_0_ge_neg(&tmp, &group[i]); + rustsecp256k1zkp_v0_6_0_ge tmp; + rustsecp256k1zkp_v0_6_0_gej tmpj; + rustsecp256k1zkp_v0_6_0_ge_neg(&tmp, &group[i]); ge_equals_ge(&group[EXHAUSTIVE_TEST_ORDER - i], &tmp); - rustsecp256k1zkp_v0_5_0_gej_neg(&tmpj, &groupj[i]); + rustsecp256k1zkp_v0_6_0_gej_neg(&tmpj, &groupj[i]); ge_equals_gej(&group[EXHAUSTIVE_TEST_ORDER - i], &tmpj); } } -void test_exhaustive_ecmult(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge *group, const rustsecp256k1zkp_v0_5_0_gej *groupj) { +void test_exhaustive_ecmult(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge *group, const rustsecp256k1zkp_v0_6_0_gej *groupj) { int i, j, r_log; uint64_t iter = 0; for (r_log = 1; r_log < EXHAUSTIVE_TEST_ORDER; r_log++) { for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) { if (skip_section(&iter)) continue; for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) { - rustsecp256k1zkp_v0_5_0_gej tmp; - rustsecp256k1zkp_v0_5_0_scalar na, ng; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&na, i); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&ng, j); + rustsecp256k1zkp_v0_6_0_gej tmp; + rustsecp256k1zkp_v0_6_0_scalar na, ng; + rustsecp256k1zkp_v0_6_0_scalar_set_int(&na, i); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&ng, j); - rustsecp256k1zkp_v0_5_0_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng); + rustsecp256k1zkp_v0_6_0_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng); ge_equals_gej(&group[(i * r_log + j) % EXHAUSTIVE_TEST_ORDER], &tmp); if (i > 0) { - rustsecp256k1zkp_v0_5_0_ecmult_const(&tmp, &group[i], &ng, 256); + rustsecp256k1zkp_v0_6_0_ecmult_const(&tmp, &group[i], &ng, 256); ge_equals_gej(&group[(i * j) % EXHAUSTIVE_TEST_ORDER], &tmp); } } @@ -189,111 +188,111 @@ void test_exhaustive_ecmult(const rustsecp256k1zkp_v0_5_0_context *ctx, const ru } typedef struct { - rustsecp256k1zkp_v0_5_0_scalar sc[2]; - rustsecp256k1zkp_v0_5_0_ge pt[2]; + rustsecp256k1zkp_v0_6_0_scalar sc[2]; + rustsecp256k1zkp_v0_6_0_ge pt[2]; } ecmult_multi_data; -static int ecmult_multi_callback(rustsecp256k1zkp_v0_5_0_scalar *sc, rustsecp256k1zkp_v0_5_0_ge *pt, size_t idx, void *cbdata) { +static int ecmult_multi_callback(rustsecp256k1zkp_v0_6_0_scalar *sc, rustsecp256k1zkp_v0_6_0_ge *pt, size_t idx, void *cbdata) { ecmult_multi_data *data = (ecmult_multi_data*) cbdata; *sc = data->sc[idx]; *pt = data->pt[idx]; return 1; } -void test_exhaustive_ecmult_multi(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge *group) { +void test_exhaustive_ecmult_multi(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge *group) { int i, j, k, x, y; uint64_t iter = 0; - rustsecp256k1zkp_v0_5_0_scratch *scratch = rustsecp256k1zkp_v0_5_0_scratch_create(&ctx->error_callback, 4096); + rustsecp256k1zkp_v0_6_0_scratch *scratch = rustsecp256k1zkp_v0_6_0_scratch_create(&ctx->error_callback, 4096); for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) { for (j = 0; j < EXHAUSTIVE_TEST_ORDER; j++) { for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) { for (x = 0; x < EXHAUSTIVE_TEST_ORDER; x++) { if (skip_section(&iter)) continue; for (y = 0; y < EXHAUSTIVE_TEST_ORDER; y++) { - rustsecp256k1zkp_v0_5_0_gej tmp; - rustsecp256k1zkp_v0_5_0_scalar g_sc; + rustsecp256k1zkp_v0_6_0_gej tmp; + rustsecp256k1zkp_v0_6_0_scalar g_sc; ecmult_multi_data data; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&data.sc[0], i); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&data.sc[1], j); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&g_sc, k); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&data.sc[0], i); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&data.sc[1], j); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&g_sc, k); data.pt[0] = group[x]; data.pt[1] = group[y]; - rustsecp256k1zkp_v0_5_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &tmp, &g_sc, ecmult_multi_callback, &data, 2); + rustsecp256k1zkp_v0_6_0_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &tmp, &g_sc, ecmult_multi_callback, &data, 2); ge_equals_gej(&group[(i * x + j * y + k) % EXHAUSTIVE_TEST_ORDER], &tmp); } } } } } - rustsecp256k1zkp_v0_5_0_scratch_destroy(&ctx->error_callback, scratch); + rustsecp256k1zkp_v0_6_0_scratch_destroy(&ctx->error_callback, scratch); } -void r_from_k(rustsecp256k1zkp_v0_5_0_scalar *r, const rustsecp256k1zkp_v0_5_0_ge *group, int k, int* overflow) { - rustsecp256k1zkp_v0_5_0_fe x; +void r_from_k(rustsecp256k1zkp_v0_6_0_scalar *r, const rustsecp256k1zkp_v0_6_0_ge *group, int k, int* overflow) { + rustsecp256k1zkp_v0_6_0_fe x; unsigned char x_bin[32]; k %= EXHAUSTIVE_TEST_ORDER; x = group[k].x; - rustsecp256k1zkp_v0_5_0_fe_normalize(&x); - rustsecp256k1zkp_v0_5_0_fe_get_b32(x_bin, &x); - rustsecp256k1zkp_v0_5_0_scalar_set_b32(r, x_bin, overflow); + rustsecp256k1zkp_v0_6_0_fe_normalize(&x); + rustsecp256k1zkp_v0_6_0_fe_get_b32(x_bin, &x); + rustsecp256k1zkp_v0_6_0_scalar_set_b32(r, x_bin, overflow); } -void test_exhaustive_verify(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge *group) { +void test_exhaustive_verify(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge *group) { int s, r, msg, key; uint64_t iter = 0; for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) { for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) { for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) { for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) { - rustsecp256k1zkp_v0_5_0_ge nonconst_ge; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; - rustsecp256k1zkp_v0_5_0_pubkey pk; - rustsecp256k1zkp_v0_5_0_scalar sk_s, msg_s, r_s, s_s; - rustsecp256k1zkp_v0_5_0_scalar s_times_k_s, msg_plus_r_times_sk_s; + rustsecp256k1zkp_v0_6_0_ge nonconst_ge; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_pubkey pk; + rustsecp256k1zkp_v0_6_0_scalar sk_s, msg_s, r_s, s_s; + rustsecp256k1zkp_v0_6_0_scalar s_times_k_s, msg_plus_r_times_sk_s; int k, should_verify; unsigned char msg32[32]; if (skip_section(&iter)) continue; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s_s, s); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&r_s, r); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg_s, msg); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sk_s, key); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s_s, s); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&r_s, r); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg_s, msg); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sk_s, key); /* Verify by hand */ /* Run through every k value that gives us this r and check that *one* works. * Note there could be none, there could be multiple, ECDSA is weird. */ should_verify = 0; for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) { - rustsecp256k1zkp_v0_5_0_scalar check_x_s; + rustsecp256k1zkp_v0_6_0_scalar check_x_s; r_from_k(&check_x_s, group, k, NULL); if (r_s == check_x_s) { - rustsecp256k1zkp_v0_5_0_scalar_set_int(&s_times_k_s, k); - rustsecp256k1zkp_v0_5_0_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); - rustsecp256k1zkp_v0_5_0_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); - rustsecp256k1zkp_v0_5_0_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); - should_verify |= rustsecp256k1zkp_v0_5_0_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&s_times_k_s, k); + rustsecp256k1zkp_v0_6_0_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); + rustsecp256k1zkp_v0_6_0_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); + rustsecp256k1zkp_v0_6_0_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); + should_verify |= rustsecp256k1zkp_v0_6_0_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); } } /* nb we have a "high s" rule */ - should_verify &= !rustsecp256k1zkp_v0_5_0_scalar_is_high(&s_s); + should_verify &= !rustsecp256k1zkp_v0_6_0_scalar_is_high(&s_s); /* Verify by calling verify */ - rustsecp256k1zkp_v0_5_0_ecdsa_signature_save(&sig, &r_s, &s_s); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_save(&sig, &r_s, &s_s); memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge)); - rustsecp256k1zkp_v0_5_0_pubkey_save(&pk, &nonconst_ge); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(msg32, &msg_s); + rustsecp256k1zkp_v0_6_0_pubkey_save(&pk, &nonconst_ge); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(msg32, &msg_s); CHECK(should_verify == - rustsecp256k1zkp_v0_5_0_ecdsa_verify(ctx, &sig, msg32, &pk)); + rustsecp256k1zkp_v0_6_0_ecdsa_verify(ctx, &sig, msg32, &pk)); } } } } } -void test_exhaustive_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, const rustsecp256k1zkp_v0_5_0_ge *group) { +void test_exhaustive_sign(const rustsecp256k1zkp_v0_6_0_context *ctx, const rustsecp256k1zkp_v0_6_0_ge *group) { int i, j, k; uint64_t iter = 0; @@ -303,17 +302,17 @@ void test_exhaustive_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, const rust if (skip_section(&iter)) continue; for (k = 1; k < EXHAUSTIVE_TEST_ORDER; k++) { /* nonce */ const int starting_k = k; - rustsecp256k1zkp_v0_5_0_ecdsa_signature sig; - rustsecp256k1zkp_v0_5_0_scalar sk, msg, r, s, expected_r; + rustsecp256k1zkp_v0_6_0_ecdsa_signature sig; + rustsecp256k1zkp_v0_6_0_scalar sk, msg, r, s, expected_r; unsigned char sk32[32], msg32[32]; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&msg, i); - rustsecp256k1zkp_v0_5_0_scalar_set_int(&sk, j); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(sk32, &sk); - rustsecp256k1zkp_v0_5_0_scalar_get_b32(msg32, &msg); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&msg, i); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&sk, j); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(sk32, &sk); + rustsecp256k1zkp_v0_6_0_scalar_get_b32(msg32, &msg); - rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &sig, msg32, sk32, rustsecp256k1zkp_v0_5_0_nonce_function_smallint, &k); + rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &sig, msg32, sk32, rustsecp256k1zkp_v0_6_0_nonce_function_smallint, &k); - rustsecp256k1zkp_v0_5_0_ecdsa_signature_load(ctx, &r, &s, &sig); + rustsecp256k1zkp_v0_6_0_ecdsa_signature_load(ctx, &r, &s, &sig); /* Note that we compute expected_r *after* signing -- this is important * because our nonce-computing function function might change k during * signing. */ @@ -354,10 +353,10 @@ void test_exhaustive_sign(const rustsecp256k1zkp_v0_5_0_context *ctx, const rust int main(int argc, char** argv) { int i; - rustsecp256k1zkp_v0_5_0_gej groupj[EXHAUSTIVE_TEST_ORDER]; - rustsecp256k1zkp_v0_5_0_ge group[EXHAUSTIVE_TEST_ORDER]; + rustsecp256k1zkp_v0_6_0_gej groupj[EXHAUSTIVE_TEST_ORDER]; + rustsecp256k1zkp_v0_6_0_ge group[EXHAUSTIVE_TEST_ORDER]; unsigned char rand32[32]; - rustsecp256k1zkp_v0_5_0_context *ctx; + rustsecp256k1zkp_v0_6_0_context *ctx; /* Disable buffering for stdout to improve reliability of getting * diagnostic information. Happens right at the start of main because @@ -376,7 +375,7 @@ int main(int argc, char** argv) { printf("test count = %i\n", count); /* find random seed */ - rustsecp256k1zkp_v0_5_0_testrand_init(argc > 2 ? argv[2] : NULL); + rustsecp256k1zkp_v0_6_0_testrand_init(argc > 2 ? argv[2] : NULL); /* set up split processing */ if (argc > 4) { @@ -391,38 +390,38 @@ int main(int argc, char** argv) { while (count--) { /* Build context */ - ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - rustsecp256k1zkp_v0_5_0_testrand256(rand32); - CHECK(rustsecp256k1zkp_v0_5_0_context_randomize(ctx, rand32)); + ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1zkp_v0_6_0_testrand256(rand32); + CHECK(rustsecp256k1zkp_v0_6_0_context_randomize(ctx, rand32)); /* Generate the entire group */ - rustsecp256k1zkp_v0_5_0_gej_set_infinity(&groupj[0]); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&group[0], &groupj[0]); + rustsecp256k1zkp_v0_6_0_gej_set_infinity(&groupj[0]); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&group[0], &groupj[0]); for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { - rustsecp256k1zkp_v0_5_0_gej_add_ge(&groupj[i], &groupj[i - 1], &rustsecp256k1zkp_v0_5_0_ge_const_g); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&group[i], &groupj[i]); + rustsecp256k1zkp_v0_6_0_gej_add_ge(&groupj[i], &groupj[i - 1], &rustsecp256k1zkp_v0_6_0_ge_const_g); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&group[i], &groupj[i]); if (count != 0) { /* Set a different random z-value for each Jacobian point, except z=1 is used in the last iteration. */ - rustsecp256k1zkp_v0_5_0_fe z; + rustsecp256k1zkp_v0_6_0_fe z; random_fe(&z); - rustsecp256k1zkp_v0_5_0_gej_rescale(&groupj[i], &z); + rustsecp256k1zkp_v0_6_0_gej_rescale(&groupj[i], &z); } /* Verify against ecmult_gen */ { - rustsecp256k1zkp_v0_5_0_scalar scalar_i; - rustsecp256k1zkp_v0_5_0_gej generatedj; - rustsecp256k1zkp_v0_5_0_ge generated; + rustsecp256k1zkp_v0_6_0_scalar scalar_i; + rustsecp256k1zkp_v0_6_0_gej generatedj; + rustsecp256k1zkp_v0_6_0_ge generated; - rustsecp256k1zkp_v0_5_0_scalar_set_int(&scalar_i, i); - rustsecp256k1zkp_v0_5_0_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i); - rustsecp256k1zkp_v0_5_0_ge_set_gej(&generated, &generatedj); + rustsecp256k1zkp_v0_6_0_scalar_set_int(&scalar_i, i); + rustsecp256k1zkp_v0_6_0_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i); + rustsecp256k1zkp_v0_6_0_ge_set_gej(&generated, &generatedj); CHECK(group[i].infinity == 0); CHECK(generated.infinity == 0); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&generated.x, &group[i].x)); - CHECK(rustsecp256k1zkp_v0_5_0_fe_equal_var(&generated.y, &group[i].y)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&generated.x, &group[i].x)); + CHECK(rustsecp256k1zkp_v0_6_0_fe_equal_var(&generated.y, &group[i].y)); } } @@ -444,10 +443,10 @@ int main(int argc, char** argv) { test_exhaustive_schnorrsig(ctx); #endif - rustsecp256k1zkp_v0_5_0_context_destroy(ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(ctx); } - rustsecp256k1zkp_v0_5_0_testrand_finish(); + rustsecp256k1zkp_v0_6_0_testrand_finish(); printf("no problems found\n"); return 0; diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/util.h b/secp256k1-zkp-sys/depend/secp256k1/src/util.h index 6e4f4323..fb8c093c 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/util.h +++ b/secp256k1-zkp-sys/depend/secp256k1/src/util.h @@ -19,9 +19,9 @@ typedef struct { void (*fn)(const char *text, void* data); const void* data; -} rustsecp256k1zkp_v0_5_0_callback; +} rustsecp256k1zkp_v0_6_0_callback; -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_callback_call(const rustsecp256k1zkp_v0_5_0_callback * const cb, const char * const text) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_callback_call(const rustsecp256k1zkp_v0_6_0_callback * const cb, const char * const text) { cb->fn(text, (void*)cb->data); } @@ -130,7 +130,7 @@ static SECP256K1_INLINE void *manual_alloc(void** prealloc_ptr, size_t alloc_siz } /* Extract the sign of an int64, take the abs and return a uint64, constant time. */ -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_sign_and_abs64(uint64_t *out, int64_t in) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_sign_and_abs64(uint64_t *out, int64_t in) { uint64_t mask0, mask1; int ret; ret = in < 0; @@ -141,7 +141,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_sign_and_abs64(uint64_t *out return ret; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_clz64_var(uint64_t x) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_clz64_var(uint64_t x) { int ret; if (!x) { return 64; @@ -212,7 +212,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_clz64_var(uint64_t x) { #endif /* Zero memory if flag == 1. Flag must be 0 or 1. Constant time. */ -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_memczero(void *s, size_t len, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_memczero(void *s, size_t len, int flag) { unsigned char *p = (unsigned char *)s; /* Access flag with a volatile-qualified lvalue. This prevents clang from figuring out (after inlining) that flag can @@ -231,7 +231,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_memczero(void *s, size_t le * We use this to avoid possible compiler bugs with memcmp, e.g. * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189 */ -static SECP256K1_INLINE int rustsecp256k1zkp_v0_5_0_memcmp_var(const void *s1, const void *s2, size_t n) { +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_memcmp_var(const void *s1, const void *s2, size_t n) { const unsigned char *p1 = s1, *p2 = s2; size_t i; @@ -245,7 +245,7 @@ static SECP256K1_INLINE int rustsecp256k1zkp_v0_5_0_memcmp_var(const void *s1, c } /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized and non-negative.*/ -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_int_cmov(int *r, const int *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_int_cmov(int *r, const int *a, int flag) { unsigned int mask0, mask1, r_masked, a_masked; /* Access flag with a volatile-qualified lvalue. This prevents clang from figuring out (after inlining) that flag can @@ -286,4 +286,69 @@ SECP256K1_GNUC_EXT typedef __int128 int128_t; # endif #endif +#ifndef __has_builtin +#define __has_builtin(x) 0 +#endif + +/* Determine the number of trailing zero bits in a (non-zero) 32-bit x. + * This function is only intended to be used as fallback for + * rustsecp256k1zkp_v0_6_0_ctz32_var, but permits it to be tested separately. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz32_var_debruijn(uint32_t x) { + static const uint8_t debruijn[32] = { + 0x00, 0x01, 0x02, 0x18, 0x03, 0x13, 0x06, 0x19, 0x16, 0x04, 0x14, 0x0A, + 0x10, 0x07, 0x0C, 0x1A, 0x1F, 0x17, 0x12, 0x05, 0x15, 0x09, 0x0F, 0x0B, + 0x1E, 0x11, 0x08, 0x0E, 0x1D, 0x0D, 0x1C, 0x1B + }; + return debruijn[((x & -x) * 0x04D7651F) >> 27]; +} + +/* Determine the number of trailing zero bits in a (non-zero) 64-bit x. + * This function is only intended to be used as fallback for + * rustsecp256k1zkp_v0_6_0_ctz64_var, but permits it to be tested separately. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz64_var_debruijn(uint64_t x) { + static const uint8_t debruijn[64] = { + 0, 1, 2, 53, 3, 7, 54, 27, 4, 38, 41, 8, 34, 55, 48, 28, + 62, 5, 39, 46, 44, 42, 22, 9, 24, 35, 59, 56, 49, 18, 29, 11, + 63, 52, 6, 26, 37, 40, 33, 47, 61, 45, 43, 21, 23, 58, 17, 10, + 51, 25, 36, 32, 60, 20, 57, 16, 50, 31, 19, 15, 30, 14, 13, 12 + }; + return debruijn[((x & -x) * 0x022FDD63CC95386D) >> 58]; +} + +/* Determine the number of trailing zero bits in a (non-zero) 32-bit x. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz32_var(uint32_t x) { + VERIFY_CHECK(x != 0); +#if (__has_builtin(__builtin_ctz) || SECP256K1_GNUC_PREREQ(3,4)) + /* If the unsigned type is sufficient to represent the largest uint32_t, consider __builtin_ctz. */ + if (((unsigned)UINT32_MAX) == UINT32_MAX) { + return __builtin_ctz(x); + } +#endif +#if (__has_builtin(__builtin_ctzl) || SECP256K1_GNUC_PREREQ(3,4)) + /* Otherwise consider __builtin_ctzl (the unsigned long type is always at least 32 bits). */ + return __builtin_ctzl(x); +#else + /* If no suitable CTZ builtin is available, use a (variable time) software emulation. */ + return rustsecp256k1zkp_v0_6_0_ctz32_var_debruijn(x); +#endif +} + +/* Determine the number of trailing zero bits in a (non-zero) 64-bit x. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz64_var(uint64_t x) { + VERIFY_CHECK(x != 0); +#if (__has_builtin(__builtin_ctzl) || SECP256K1_GNUC_PREREQ(3,4)) + /* If the unsigned long type is sufficient to represent the largest uint64_t, consider __builtin_ctzl. */ + if (((unsigned long)UINT64_MAX) == UINT64_MAX) { + return __builtin_ctzl(x); + } +#endif +#if (__has_builtin(__builtin_ctzll) || SECP256K1_GNUC_PREREQ(3,4)) + /* Otherwise consider __builtin_ctzll (the unsigned long long type is always at least 64 bits). */ + return __builtin_ctzll(x); +#else + /* If no suitable CTZ builtin is available, use a (variable time) software emulation. */ + return rustsecp256k1zkp_v0_6_0_ctz64_var_debruijn(x); +#endif +} + #endif /* SECP256K1_UTIL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/util.h.orig b/secp256k1-zkp-sys/depend/secp256k1/src/util.h.orig index 2d50ccfc..b16aff40 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/util.h.orig +++ b/secp256k1-zkp-sys/depend/secp256k1/src/util.h.orig @@ -19,9 +19,9 @@ typedef struct { void (*fn)(const char *text, void* data); const void* data; -} rustsecp256k1zkp_v0_5_0_callback; +} rustsecp256k1zkp_v0_6_0_callback; -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_callback_call(const rustsecp256k1zkp_v0_5_0_callback * const cb, const char * const text) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_callback_call(const rustsecp256k1zkp_v0_6_0_callback * const cb, const char * const text) { cb->fn(text, (void*)cb->data); } @@ -88,18 +88,18 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_callback_call(const rustsec #define VG_CHECK_VERIFY(x,y) #endif -static SECP256K1_INLINE void *checked_malloc(const rustsecp256k1zkp_v0_5_0_callback* cb, size_t size) { +static SECP256K1_INLINE void *checked_malloc(const rustsecp256k1zkp_v0_6_0_callback* cb, size_t size) { void *ret = malloc(size); if (ret == NULL) { - rustsecp256k1zkp_v0_5_0_callback_call(cb, "Out of memory"); + rustsecp256k1zkp_v0_6_0_callback_call(cb, "Out of memory"); } return ret; } -static SECP256K1_INLINE void *checked_realloc(const rustsecp256k1zkp_v0_5_0_callback* cb, void *ptr, size_t size) { +static SECP256K1_INLINE void *checked_realloc(const rustsecp256k1zkp_v0_6_0_callback* cb, void *ptr, size_t size) { void *ret = realloc(ptr, size); if (ret == NULL) { - rustsecp256k1zkp_v0_5_0_callback_call(cb, "Out of memory"); + rustsecp256k1zkp_v0_6_0_callback_call(cb, "Out of memory"); } return ret; } @@ -146,7 +146,7 @@ static SECP256K1_INLINE void *manual_alloc(void** prealloc_ptr, size_t alloc_siz } /* Extract the sign of an int64, take the abs and return a uint64, constant time. */ -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_sign_and_abs64(uint64_t *out, int64_t in) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_sign_and_abs64(uint64_t *out, int64_t in) { uint64_t mask0, mask1; int ret; ret = in < 0; @@ -157,7 +157,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_sign_and_abs64(uint64_t *out return ret; } -SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_clz64_var(uint64_t x) { +SECP256K1_INLINE static int rustsecp256k1zkp_v0_6_0_clz64_var(uint64_t x) { int ret; if (!x) { return 64; @@ -228,7 +228,7 @@ SECP256K1_INLINE static int rustsecp256k1zkp_v0_5_0_clz64_var(uint64_t x) { #endif /* Zero memory if flag == 1. Flag must be 0 or 1. Constant time. */ -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_memczero(void *s, size_t len, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_memczero(void *s, size_t len, int flag) { unsigned char *p = (unsigned char *)s; /* Access flag with a volatile-qualified lvalue. This prevents clang from figuring out (after inlining) that flag can @@ -247,7 +247,7 @@ static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_memczero(void *s, size_t le * We use this to avoid possible compiler bugs with memcmp, e.g. * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189 */ -static SECP256K1_INLINE int rustsecp256k1zkp_v0_5_0_memcmp_var(const void *s1, const void *s2, size_t n) { +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_memcmp_var(const void *s1, const void *s2, size_t n) { const unsigned char *p1 = s1, *p2 = s2; size_t i; @@ -261,7 +261,7 @@ static SECP256K1_INLINE int rustsecp256k1zkp_v0_5_0_memcmp_var(const void *s1, c } /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized and non-negative.*/ -static SECP256K1_INLINE void rustsecp256k1zkp_v0_5_0_int_cmov(int *r, const int *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1zkp_v0_6_0_int_cmov(int *r, const int *a, int flag) { unsigned int mask0, mask1, r_masked, a_masked; /* Access flag with a volatile-qualified lvalue. This prevents clang from figuring out (after inlining) that flag can @@ -302,4 +302,69 @@ SECP256K1_GNUC_EXT typedef __int128 int128_t; # endif #endif +#ifndef __has_builtin +#define __has_builtin(x) 0 +#endif + +/* Determine the number of trailing zero bits in a (non-zero) 32-bit x. + * This function is only intended to be used as fallback for + * rustsecp256k1zkp_v0_6_0_ctz32_var, but permits it to be tested separately. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz32_var_debruijn(uint32_t x) { + static const uint8_t debruijn[32] = { + 0x00, 0x01, 0x02, 0x18, 0x03, 0x13, 0x06, 0x19, 0x16, 0x04, 0x14, 0x0A, + 0x10, 0x07, 0x0C, 0x1A, 0x1F, 0x17, 0x12, 0x05, 0x15, 0x09, 0x0F, 0x0B, + 0x1E, 0x11, 0x08, 0x0E, 0x1D, 0x0D, 0x1C, 0x1B + }; + return debruijn[((x & -x) * 0x04D7651F) >> 27]; +} + +/* Determine the number of trailing zero bits in a (non-zero) 64-bit x. + * This function is only intended to be used as fallback for + * rustsecp256k1zkp_v0_6_0_ctz64_var, but permits it to be tested separately. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz64_var_debruijn(uint64_t x) { + static const uint8_t debruijn[64] = { + 0, 1, 2, 53, 3, 7, 54, 27, 4, 38, 41, 8, 34, 55, 48, 28, + 62, 5, 39, 46, 44, 42, 22, 9, 24, 35, 59, 56, 49, 18, 29, 11, + 63, 52, 6, 26, 37, 40, 33, 47, 61, 45, 43, 21, 23, 58, 17, 10, + 51, 25, 36, 32, 60, 20, 57, 16, 50, 31, 19, 15, 30, 14, 13, 12 + }; + return debruijn[((x & -x) * 0x022FDD63CC95386D) >> 58]; +} + +/* Determine the number of trailing zero bits in a (non-zero) 32-bit x. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz32_var(uint32_t x) { + VERIFY_CHECK(x != 0); +#if (__has_builtin(__builtin_ctz) || SECP256K1_GNUC_PREREQ(3,4)) + /* If the unsigned type is sufficient to represent the largest uint32_t, consider __builtin_ctz. */ + if (((unsigned)UINT32_MAX) == UINT32_MAX) { + return __builtin_ctz(x); + } +#endif +#if (__has_builtin(__builtin_ctzl) || SECP256K1_GNUC_PREREQ(3,4)) + /* Otherwise consider __builtin_ctzl (the unsigned long type is always at least 32 bits). */ + return __builtin_ctzl(x); +#else + /* If no suitable CTZ builtin is available, use a (variable time) software emulation. */ + return rustsecp256k1zkp_v0_6_0_ctz32_var_debruijn(x); +#endif +} + +/* Determine the number of trailing zero bits in a (non-zero) 64-bit x. */ +static SECP256K1_INLINE int rustsecp256k1zkp_v0_6_0_ctz64_var(uint64_t x) { + VERIFY_CHECK(x != 0); +#if (__has_builtin(__builtin_ctzl) || SECP256K1_GNUC_PREREQ(3,4)) + /* If the unsigned long type is sufficient to represent the largest uint64_t, consider __builtin_ctzl. */ + if (((unsigned long)UINT64_MAX) == UINT64_MAX) { + return __builtin_ctzl(x); + } +#endif +#if (__has_builtin(__builtin_ctzll) || SECP256K1_GNUC_PREREQ(3,4)) + /* Otherwise consider __builtin_ctzll (the unsigned long long type is always at least 64 bits). */ + return __builtin_ctzll(x); +#else + /* If no suitable CTZ builtin is available, use a (variable time) software emulation. */ + return rustsecp256k1zkp_v0_6_0_ctz64_var_debruijn(x); +#endif +} + #endif /* SECP256K1_UTIL_H */ diff --git a/secp256k1-zkp-sys/depend/secp256k1/src/valgrind_ctime_test.c b/secp256k1-zkp-sys/depend/secp256k1/src/valgrind_ctime_test.c index c2b2eae9..a14035aa 100644 --- a/secp256k1-zkp-sys/depend/secp256k1/src/valgrind_ctime_test.c +++ b/secp256k1-zkp-sys/depend/secp256k1/src/valgrind_ctime_test.c @@ -7,24 +7,24 @@ #include #include -#include "include/secp256k1.h" +#include "../include/secp256k1.h" #include "assumptions.h" #include "util.h" #ifdef ENABLE_MODULE_ECDH -#include "include/secp256k1_ecdh.h" +#include "../include/secp256k1_ecdh.h" #endif #ifdef ENABLE_MODULE_RECOVERY -#include "include/secp256k1_recovery.h" +#include "../include/secp256k1_recovery.h" #endif #ifdef ENABLE_MODULE_EXTRAKEYS -#include "include/secp256k1_extrakeys.h" +#include "../include/secp256k1_extrakeys.h" #endif #ifdef ENABLE_MODULE_SCHNORRSIG -#include "include/secp256k1_schnorrsig.h" +#include "../include/secp256k1_schnorrsig.h" #endif #ifdef ENABLE_MODULE_ECDSA_S2C @@ -35,10 +35,10 @@ #include "include/secp256k1_ecdsa_adaptor.h" #endif -void run_tests(rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *key); +void run_tests(rustsecp256k1zkp_v0_6_0_context *ctx, unsigned char *key); int main(void) { - rustsecp256k1zkp_v0_5_0_context* ctx; + rustsecp256k1zkp_v0_6_0_context* ctx; unsigned char key[32]; int ret, i; @@ -47,7 +47,7 @@ int main(void) { fprintf(stderr, "Usage: libtool --mode=execute valgrind ./valgrind_ctime_test\n"); return 1; } - ctx = rustsecp256k1zkp_v0_5_0_context_create(SECP256K1_CONTEXT_SIGN + ctx = rustsecp256k1zkp_v0_6_0_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_DECLASSIFY); /** In theory, testing with a single secret input should be sufficient: @@ -62,17 +62,17 @@ int main(void) { /* Test context randomisation. Do this last because it leaves the context * tainted. */ VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_context_randomize(ctx, key); + ret = rustsecp256k1zkp_v0_6_0_context_randomize(ctx, key); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret); - rustsecp256k1zkp_v0_5_0_context_destroy(ctx); + rustsecp256k1zkp_v0_6_0_context_destroy(ctx); return 0; } -void run_tests(rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *key) { - rustsecp256k1zkp_v0_5_0_ecdsa_signature signature; - rustsecp256k1zkp_v0_5_0_pubkey pubkey; +void run_tests(rustsecp256k1zkp_v0_6_0_context *ctx, unsigned char *key) { + rustsecp256k1zkp_v0_6_0_ecdsa_signature signature; + rustsecp256k1zkp_v0_6_0_pubkey pubkey; size_t siglen = 74; size_t outputlen = 33; int i; @@ -81,11 +81,11 @@ void run_tests(rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *key) { unsigned char sig[74]; unsigned char spubkey[33]; #ifdef ENABLE_MODULE_RECOVERY - rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature recoverable_signature; + rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature recoverable_signature; int recid; #endif #ifdef ENABLE_MODULE_EXTRAKEYS - rustsecp256k1zkp_v0_5_0_keypair keypair; + rustsecp256k1zkp_v0_6_0_keypair keypair; #endif for (i = 0; i < 32; i++) { @@ -94,24 +94,24 @@ void run_tests(rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *key) { /* Test keygen. */ VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &pubkey, key); - VALGRIND_MAKE_MEM_DEFINED(&pubkey, sizeof(rustsecp256k1zkp_v0_5_0_pubkey)); + ret = rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &pubkey, key); + VALGRIND_MAKE_MEM_DEFINED(&pubkey, sizeof(rustsecp256k1zkp_v0_6_0_pubkey)); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret); - CHECK(rustsecp256k1zkp_v0_5_0_ec_pubkey_serialize(ctx, spubkey, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1zkp_v0_6_0_ec_pubkey_serialize(ctx, spubkey, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED) == 1); /* Test signing. */ VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sign(ctx, &signature, msg, key, NULL, NULL); - VALGRIND_MAKE_MEM_DEFINED(&signature, sizeof(rustsecp256k1zkp_v0_5_0_ecdsa_signature)); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sign(ctx, &signature, msg, key, NULL, NULL); + VALGRIND_MAKE_MEM_DEFINED(&signature, sizeof(rustsecp256k1zkp_v0_6_0_ecdsa_signature)); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature)); #ifdef ENABLE_MODULE_ECDH /* Test ECDH. */ VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdh(ctx, msg, &pubkey, key, NULL, NULL); + ret = rustsecp256k1zkp_v0_6_0_ecdh(ctx, msg, &pubkey, key, NULL, NULL); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); #endif @@ -119,62 +119,62 @@ void run_tests(rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *key) { #ifdef ENABLE_MODULE_RECOVERY /* Test signing a recoverable signature. */ VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_sign_recoverable(ctx, &recoverable_signature, msg, key, NULL, NULL); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_sign_recoverable(ctx, &recoverable_signature, msg, key, NULL, NULL); VALGRIND_MAKE_MEM_DEFINED(&recoverable_signature, sizeof(recoverable_signature)); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret); - CHECK(rustsecp256k1zkp_v0_5_0_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recoverable_signature)); + CHECK(rustsecp256k1zkp_v0_6_0_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recoverable_signature)); CHECK(recid >= 0 && recid <= 3); #endif VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_ec_seckey_verify(ctx, key); + ret = rustsecp256k1zkp_v0_6_0_ec_seckey_verify(ctx, key); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_ec_seckey_negate(ctx, key); + ret = rustsecp256k1zkp_v0_6_0_ec_seckey_negate(ctx, key); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(key, 32); VALGRIND_MAKE_MEM_UNDEFINED(msg, 32); - ret = rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_add(ctx, key, msg); + ret = rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_add(ctx, key, msg); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(key, 32); VALGRIND_MAKE_MEM_UNDEFINED(msg, 32); - ret = rustsecp256k1zkp_v0_5_0_ec_seckey_tweak_mul(ctx, key, msg); + ret = rustsecp256k1zkp_v0_6_0_ec_seckey_tweak_mul(ctx, key, msg); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); /* Test keypair_create and keypair_xonly_tweak_add. */ #ifdef ENABLE_MODULE_EXTRAKEYS VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, key); + ret = rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, key); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); /* The tweak is not treated as a secret in keypair_tweak_add */ VALGRIND_MAKE_MEM_DEFINED(msg, 32); - ret = rustsecp256k1zkp_v0_5_0_keypair_xonly_tweak_add(ctx, &keypair, msg); + ret = rustsecp256k1zkp_v0_6_0_keypair_xonly_tweak_add(ctx, &keypair, msg); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(key, 32); VALGRIND_MAKE_MEM_UNDEFINED(&keypair, sizeof(keypair)); - ret = rustsecp256k1zkp_v0_5_0_keypair_sec(ctx, key, &keypair); + ret = rustsecp256k1zkp_v0_6_0_keypair_sec(ctx, key, &keypair); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); #endif #ifdef ENABLE_MODULE_SCHNORRSIG VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_keypair_create(ctx, &keypair, key); + ret = rustsecp256k1zkp_v0_6_0_keypair_create(ctx, &keypair, key); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); - ret = rustsecp256k1zkp_v0_5_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL); + ret = rustsecp256k1zkp_v0_6_0_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); #endif @@ -183,22 +183,22 @@ void run_tests(rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *key) { { unsigned char s2c_data[32] = {0}; unsigned char s2c_data_comm[32] = {0}; - rustsecp256k1zkp_v0_5_0_ecdsa_s2c_opening s2c_opening; + rustsecp256k1zkp_v0_6_0_ecdsa_s2c_opening s2c_opening; VALGRIND_MAKE_MEM_UNDEFINED(key, 32); VALGRIND_MAKE_MEM_UNDEFINED(s2c_data, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, msg, key, s2c_data); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, msg, key, s2c_data); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(s2c_data, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_host_commit(ctx, s2c_data_comm, s2c_data); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_host_commit(ctx, s2c_data_comm, s2c_data); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(key, 32); VALGRIND_MAKE_MEM_UNDEFINED(s2c_data, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, key, s2c_data); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, key, s2c_data); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); } @@ -209,34 +209,34 @@ void run_tests(rustsecp256k1zkp_v0_5_0_context *ctx, unsigned char *key) { unsigned char adaptor_sig[162]; unsigned char deckey[32]; unsigned char expected_deckey[32]; - rustsecp256k1zkp_v0_5_0_pubkey enckey; + rustsecp256k1zkp_v0_6_0_pubkey enckey; for (i = 0; i < 32; i++) { deckey[i] = i + 2; } - ret = rustsecp256k1zkp_v0_5_0_ec_pubkey_create(ctx, &enckey, deckey); + ret = rustsecp256k1zkp_v0_6_0_ec_pubkey_create(ctx, &enckey, deckey); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(key, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, key, &enckey, msg, NULL, NULL); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt(ctx, adaptor_sig, key, &enckey, msg, NULL, NULL); VALGRIND_MAKE_MEM_DEFINED(adaptor_sig, sizeof(adaptor_sig)); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(deckey, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt(ctx, &signature, deckey, adaptor_sig); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt(ctx, &signature, deckey, adaptor_sig); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_UNDEFINED(&signature, 32); - ret = rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover(ctx, expected_deckey, &signature, adaptor_sig, &enckey); + ret = rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover(ctx, expected_deckey, &signature, adaptor_sig, &enckey); VALGRIND_MAKE_MEM_DEFINED(expected_deckey, sizeof(expected_deckey)); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 1); VALGRIND_MAKE_MEM_DEFINED(deckey, sizeof(deckey)); - ret = rustsecp256k1zkp_v0_5_0_memcmp_var(deckey, expected_deckey, sizeof(expected_deckey)); + ret = rustsecp256k1zkp_v0_6_0_memcmp_var(deckey, expected_deckey, sizeof(expected_deckey)); VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); CHECK(ret == 0); } diff --git a/secp256k1-zkp-sys/src/error_callbacks.rs b/secp256k1-zkp-sys/src/error_callbacks.rs index 8f09a156..61cc74b9 100644 --- a/secp256k1-zkp-sys/src/error_callbacks.rs +++ b/secp256k1-zkp-sys/src/error_callbacks.rs @@ -9,7 +9,7 @@ use secp256k1_sys::types::{c_char, c_void}; #[no_mangle] #[cfg(not(feature = "external-symbols"))] -pub unsafe extern "C" fn rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn( +pub unsafe extern "C" fn rustsecp256k1zkp_v0_6_0_default_illegal_callback_fn( _: *const c_char, _data: *mut c_void, ) { @@ -18,7 +18,7 @@ pub unsafe extern "C" fn rustsecp256k1zkp_v0_5_0_default_illegal_callback_fn( #[no_mangle] #[cfg(not(feature = "external-symbols"))] -pub unsafe extern "C" fn rustsecp256k1zkp_v0_5_0_default_error_callback_fn( +pub unsafe extern "C" fn rustsecp256k1zkp_v0_6_0_default_error_callback_fn( _: *const c_char, _data: *mut c_void, ) { diff --git a/secp256k1-zkp-sys/src/zkp.rs b/secp256k1-zkp-sys/src/zkp.rs index a674f048..cca51bf7 100644 --- a/secp256k1-zkp-sys/src/zkp.rs +++ b/secp256k1-zkp-sys/src/zkp.rs @@ -11,7 +11,7 @@ pub const WHITELIST_MAX_N_KEYS: size_t = 255; extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_pedersen_commitment_parse" + link_name = "rustsecp256k1zkp_v0_6_0_pedersen_commitment_parse" )] // Parse a 33-byte commitment into 64 byte internal commitment object pub fn secp256k1_pedersen_commitment_parse( @@ -22,7 +22,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_pedersen_commitment_serialize" + link_name = "rustsecp256k1zkp_v0_6_0_pedersen_commitment_serialize" )] // Serialize a 64-byte commit object into a 33 byte serialized byte sequence pub fn secp256k1_pedersen_commitment_serialize( @@ -33,7 +33,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_pedersen_commit" + link_name = "rustsecp256k1zkp_v0_6_0_pedersen_commit" )] // Generates a pedersen commitment: *commit = blind * G + value * G2. // The commitment is 33 bytes, the blinding factor is 32 bytes. @@ -47,7 +47,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_pedersen_blind_generator_blind_sum" + link_name = "rustsecp256k1zkp_v0_6_0_pedersen_blind_generator_blind_sum" )] /// Sets the final Pedersen blinding factor correctly when the generators themselves /// have blinding factors. @@ -89,7 +89,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_pedersen_verify_tally" + link_name = "rustsecp256k1zkp_v0_6_0_pedersen_verify_tally" )] // Takes two list of 64-byte commitments and sums the first set and // subtracts the second and verifies that they sum to 0. @@ -104,7 +104,7 @@ extern "C" { #[cfg(feature = "std")] #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_rangeproof_info" + link_name = "rustsecp256k1zkp_v0_6_0_rangeproof_info" )] pub fn secp256k1_rangeproof_info( ctx: *const Context, @@ -119,7 +119,7 @@ extern "C" { #[cfg(feature = "std")] #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_rangeproof_rewind" + link_name = "rustsecp256k1zkp_v0_6_0_rangeproof_rewind" )] pub fn secp256k1_rangeproof_rewind( ctx: *const Context, @@ -141,7 +141,7 @@ extern "C" { #[cfg(feature = "std")] #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_rangeproof_verify" + link_name = "rustsecp256k1zkp_v0_6_0_rangeproof_verify" )] pub fn secp256k1_rangeproof_verify( ctx: *const Context, @@ -158,7 +158,7 @@ extern "C" { #[cfg(feature = "std")] #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_rangeproof_sign" + link_name = "rustsecp256k1zkp_v0_6_0_rangeproof_sign" )] pub fn secp256k1_rangeproof_sign( ctx: *const Context, @@ -180,7 +180,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_surjectionproof_initialize" + link_name = "rustsecp256k1zkp_v0_6_0_surjectionproof_initialize" )] pub fn secp256k1_surjectionproof_initialize( ctx: *const Context, @@ -196,7 +196,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_surjectionproof_serialize" + link_name = "rustsecp256k1zkp_v0_6_0_surjectionproof_serialize" )] pub fn secp256k1_surjectionproof_serialize( ctx: *const Context, @@ -207,7 +207,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_surjectionproof_serialized_size" + link_name = "rustsecp256k1zkp_v0_6_0_surjectionproof_serialized_size" )] pub fn secp256k1_surjectionproof_serialized_size( ctx: *const Context, @@ -216,7 +216,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_surjectionproof_parse" + link_name = "rustsecp256k1zkp_v0_6_0_surjectionproof_parse" )] pub fn secp256k1_surjectionproof_parse( ctx: *const Context, @@ -227,7 +227,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_surjectionproof_generate" + link_name = "rustsecp256k1zkp_v0_6_0_surjectionproof_generate" )] pub fn secp256k1_surjectionproof_generate( ctx: *const Context, @@ -242,7 +242,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_surjectionproof_verify" + link_name = "rustsecp256k1zkp_v0_6_0_surjectionproof_verify" )] pub fn secp256k1_surjectionproof_verify( ctx: *const Context, @@ -254,7 +254,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_generator_generate_blinded" + link_name = "rustsecp256k1zkp_v0_6_0_generator_generate_blinded" )] pub fn secp256k1_generator_generate_blinded( ctx: *const Context, @@ -265,7 +265,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_generator_serialize" + link_name = "rustsecp256k1zkp_v0_6_0_generator_serialize" )] pub fn secp256k1_generator_serialize( ctx: *const Context, @@ -275,7 +275,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_generator_parse" + link_name = "rustsecp256k1zkp_v0_6_0_generator_parse" )] pub fn secp256k1_generator_parse( ctx: *const Context, @@ -285,13 +285,13 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_nonce_function_ecdsa_adaptor" + link_name = "rustsecp256k1zkp_v0_6_0_nonce_function_ecdsa_adaptor" )] pub static secp256k1_nonce_function_ecdsa_adaptor: EcdsaAdaptorNonceFn; #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_encrypt" + link_name = "rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_encrypt" )] pub fn secp256k1_ecdsa_adaptor_encrypt( cx: *const Context, @@ -305,7 +305,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_verify" + link_name = "rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_verify" )] pub fn secp256k1_ecdsa_adaptor_verify( cx: *const Context, @@ -317,7 +317,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_decrypt" + link_name = "rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_decrypt" )] pub fn secp256k1_ecdsa_adaptor_decrypt( cx: *const Context, @@ -328,7 +328,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_ecdsa_adaptor_recover" + link_name = "rustsecp256k1zkp_v0_6_0_ecdsa_adaptor_recover" )] pub fn secp256k1_ecdsa_adaptor_recover( cx: *const Context, @@ -340,7 +340,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_whitelist_signature_parse" + link_name = "rustsecp256k1zkp_v0_6_0_whitelist_signature_parse" )] pub fn secp256k1_whitelist_signature_parse( cx: *const Context, @@ -351,7 +351,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_whitelist_signature_serialize" + link_name = "rustsecp256k1zkp_v0_6_0_whitelist_signature_serialize" )] pub fn secp256k1_whitelist_signature_serialize( ctx: *const Context, @@ -362,7 +362,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_whitelist_sign" + link_name = "rustsecp256k1zkp_v0_6_0_whitelist_sign" )] pub fn secp256k1_whitelist_sign( ctx: *const Context, @@ -380,7 +380,7 @@ extern "C" { #[cfg_attr( not(feature = "external-symbols"), - link_name = "rustsecp256k1zkp_v0_5_0_whitelist_verify" + link_name = "rustsecp256k1zkp_v0_6_0_whitelist_verify" )] pub fn secp256k1_whitelist_verify( ctx: *const Context,