Squashed 'src/secp256k1/' changes from 7a30cb0c9d9..14620d13125

14620d13125 rangeproof: add a "net blinding factor" API for Elements
d22774e248c Merge BlockstreamResearch/secp256k1-zkp#203: MuSig doc fixes
dd83e72d52d Add ordinary tweak info
d26100cab26 Exclude nonce_process from pre-processing steps
b7607f93f23 Fix reference to xonly_tweak_add
f7e9a8544f3 Merge BlockstreamResearch/secp256k1-zkp#201: rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size
6b6ced9839f rangeproof: add more max_size tests
34876ecb5fa rangeproof: add more static test vectors
310e5170619 rangeproof: add a bunch more testing
f1410cb67a2 rangeproof: add secp256k1_rangeproof_max_size function to estimate rangeproof size
c137ddbdff7 Merge BlockstreamResearch/secp256k1-zkp#200: build: automatically enable module dependencies
0202d839fb1 Merge BlockstreamResearch/secp256k1-zkp#199: surjectionproof: make sure that n_used_pubkeys > 0 in generate
5ac8fb035e8 surjectionproof: make sure that n_used_pubkeys > 0 in generate
7ff446df8b9 Merge BlockstreamResearch/secp256k1-zkp#198: rangeproof: add a test for all-zero blinding factors
5a40f3d99bb replace memcmp with secp256k1_memcmp_var throughout the codebase
92820d944b5 rangeproof: add a test for all-zero blinding factors
171b294a1c7 build: improve error message if --enable-experimental is missed
58ab152bb4b build: move all output concerning enabled modules at single place
1493113e61e build: automatically enable module dependencies
4fd7e1eabda Merge BlockstreamResearch/secp256k1-zkp#197: fix include paths in all the -zkp modules
347f96d94a6 fix include paths in all the -zkp modules
d1d6e47c17c Merge BlockstreamResearch/secp256k1-zkp#196: surjectionproof: fail to generate proofs when an input equals the output
d1175d265d5 surjectionproof: use secp256k1_memcmp_var rather than bare memcmp
bf18ff5a8c6 surjectionproof: fix generation to fail when any input == the output
4ff6e4274d4 surjectionproof: add test for existing behavior on input=output proofs
71a206fa5bb Merge BlockstreamResearch/secp256k1-zkp#194: extrakeys: rename swap/swap64 to fix OpenBSD 7.1 compilation
db648478c3c extrakeys: rename swap/swap64 to fix OpenBSD 7.1 compilation

git-subtree-dir: src/secp256k1
git-subtree-split: 14620d131250b141f4d3ab352fedac0aef45eb30

Author: apoelstra

configure.ac

@@ -385,6 +385,10 @@ SECP_CFLAGS="$SECP_CFLAGS $WERROR_CFLAGS"
 ### Handle module options
 ###
 
+# Besides testing whether modules are enabled, the following code also enables
+# module dependencies. The order of the tests matters: the dependency must be
+# tested first.
+
 if test x"$enable_module_ecdh" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_ECDH, 1, [Define this symbol to enable the ECDH module])
 fi
@@ -398,30 +402,30 @@ if test x"$enable_module_recovery" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module])
 fi
 
-if test x"$enable_module_generator" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_GENERATOR, 1, [Define this symbol to enable the NUMS generator module])
+if test x"$enable_module_whitelist" = x"yes"; then
+  enable_module_rangeproof=yes
+  AC_DEFINE(ENABLE_MODULE_WHITELIST, 1, [Define this symbol to enable the key whitelisting module])
+fi
+
+if test x"$enable_module_surjectionproof" = x"yes"; then
+  enable_module_rangeproof=yes
+  AC_DEFINE(ENABLE_MODULE_SURJECTIONPROOF, 1, [Define this symbol to enable the surjection proof module])
 fi
 
 if test x"$enable_module_rangeproof" = x"yes"; then
+  enable_module_generator=yes
   AC_DEFINE(ENABLE_MODULE_RANGEPROOF, 1, [Define this symbol to enable the Pedersen / zero knowledge range proof module])
 fi
 
-if test x"$enable_module_whitelist" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_WHITELIST, 1, [Define this symbol to enable the key whitelisting module])
+if test x"$enable_module_generator" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_GENERATOR, 1, [Define this symbol to enable the NUMS generator module])
 fi
 
-if test x"$enable_module_surjectionproof" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_SURJECTIONPROOF, 1, [Define this symbol to enable the surjection proof module])
-fi
-# Test if extrakeys is set _after_ the MuSig module to allow the MuSig
-# module to set enable_module_schnorrsig=yes
 if test x"$enable_module_schnorrsig" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module])
   enable_module_extrakeys=yes
 fi
 
-# Test if extrakeys is set after the schnorrsig module to allow the schnorrsig
-# module to set enable_module_extrakeys=yes
 if test x"$enable_module_extrakeys" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_EXTRAKEYS, 1, [Define this symbol to enable the extrakeys module])
 fi
@@ -450,37 +454,24 @@ if test x"$enable_experimental" = x"yes"; then
   AC_MSG_NOTICE([******])
   AC_MSG_NOTICE([WARNING: experimental build])
   AC_MSG_NOTICE([Experimental features do not have stable APIs or properties, and may not be safe for production use.])
-  AC_MSG_NOTICE([Building NUMS generator module: $enable_module_generator])
-  AC_MSG_NOTICE([Building range proof module: $enable_module_rangeproof])
-  AC_MSG_NOTICE([Building key whitelisting module: $enable_module_whitelist])
-  AC_MSG_NOTICE([Building surjection proof module: $enable_module_surjectionproof])
-  AC_MSG_NOTICE([Building MuSig module: $enable_module_musig])
-  AC_MSG_NOTICE([Building ECDSA sign-to-contract module: $enable_module_ecdsa_s2c])
-  AC_MSG_NOTICE([Building ECDSA adaptor signatures module: $enable_module_ecdsa_adaptor])
   AC_MSG_NOTICE([******])
-
-
-  if test x"$enable_module_schnorrsig" != x"yes"; then
-    if test x"$enable_module_musig" = x"yes"; then
-      AC_MSG_ERROR([MuSig module requires the schnorrsig module. Use --enable-module-schnorrsig to allow.])
-    fi
+else
+  # The order of the following tests matters. If the user enables a dependent
+  # module (which automatically enables the module dependencies) we want to
+  # print an error for the dependent module, not the module dependency. Hence,
+  # we first test dependent modules.
+  if test x"$enable_module_whitelist" = x"yes"; then
+    AC_MSG_ERROR([Key whitelisting module is experimental. Use --enable-experimental to allow.])
   fi
-
-  if test x"$enable_module_generator" != x"yes"; then
-    if test x"$enable_module_rangeproof" = x"yes"; then
-      AC_MSG_ERROR([Rangeproof module requires the generator module. Use --enable-module-generator to allow.])
-    fi
+  if test x"$enable_module_surjectionproof" = x"yes"; then
+    AC_MSG_ERROR([Surjection proof module is experimental. Use --enable-experimental to allow.])
   fi
-
-  if test x"$enable_module_rangeproof" != x"yes"; then
-    if test x"$enable_module_whitelist" = x"yes"; then
-      AC_MSG_ERROR([Whitelist module requires the rangeproof module. Use --enable-module-rangeproof to allow.])
-    fi
-    if test x"$enable_module_surjectionproof" = x"yes"; then
-      AC_MSG_ERROR([Surjection proof module requires the rangeproof module. Use --enable-module-rangeproof to allow.])
-    fi
+  if test x"$enable_module_rangeproof" = x"yes"; then
+    AC_MSG_ERROR([Range proof module is experimental. Use --enable-experimental to allow.])
+  fi
+  if test x"$enable_module_generator" = x"yes"; then
+    AC_MSG_ERROR([NUMS generator module is experimental. Use --enable-experimental to allow.])
   fi
-else
   if test x"$enable_module_musig" = x"yes"; then
     AC_MSG_ERROR([MuSig module is experimental. Use --enable-experimental to allow.])
   fi
@@ -493,18 +484,6 @@ else
   if test x"$set_asm" = x"arm"; then
     AC_MSG_ERROR([ARM assembly optimization is experimental. Use --enable-experimental to allow.])
   fi
-  if test x"$enable_module_generator" = x"yes"; then
-    AC_MSG_ERROR([NUMS generator module is experimental. Use --enable-experimental to allow.])
-  fi
-  if test x"$enable_module_rangeproof" = x"yes"; then
-    AC_MSG_ERROR([Range proof module is experimental. Use --enable-experimental to allow.])
-  fi
-  if test x"$enable_module_whitelist" = x"yes"; then
-    AC_MSG_ERROR([Key whitelisting module is experimental. Use --enable-experimental to allow.])
-  fi
-  if test x"$enable_module_surjectionproof" = x"yes"; then
-    AC_MSG_ERROR([Surjection proof module is experimental. Use --enable-experimental to allow.])
-  fi
 fi
 
 ###
@@ -555,6 +534,10 @@ echo "  module ecdh             = $enable_module_ecdh"
 echo "  module recovery         = $enable_module_recovery"
 echo "  module extrakeys        = $enable_module_extrakeys"
 echo "  module schnorrsig       = $enable_module_schnorrsig"
+echo "  module generator        = $enable_module_generator"
+echo "  module rangeproof       = $enable_module_rangeproof"
+echo "  module surjectionproof  = $enable_module_surjectionproof"
+echo "  module whitelist        = $enable_module_whitelist"
 echo "  module musig            = $enable_module_musig"
 echo "  module ecdsa-s2c        = $enable_module_ecdsa_s2c"
 echo "  module ecdsa-adaptor    = $enable_module_ecdsa_adaptor"

include/secp256k1_rangeproof.h

@@ -10,6 +10,15 @@ extern "C" {
 
 #include <stdint.h>
 
+/** Length of a message that can be embedded into a maximally-sized rangeproof
+ *
+ * It is not be possible to fit a message of this size into a non-maximally-sized
+ * rangeproof, but it is guaranteed that any embeddable message can fit into an
+ * array of this size. This constant is intended to be used for memory allocations
+ * and sanity checks.
+ */
+#define SECP256K1_RANGEPROOF_MAX_MESSAGE_LEN 3968
+
 /** Opaque data structure that stores a Pedersen commitment
  *
  *  The exact representation of data inside is implementation defined and not
@@ -119,6 +128,49 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_verify_tally(
   size_t ncnt
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
 
+/** Compute the "net blinding factor" for an asset/amount pair of Pedersen commitments
+ *
+ *  Returns 0 if either input is out of range, otherwise 1
+ *  Args:    ctx: a secp256k1 context object.
+ *  Out:  output: 32-byte array into which the result will be written
+ *  In:      val: the value of the amount commitment
+ *           vbf: the amount commitment's blinding factor
+ *           abf: the asset commitment's blinding factor
+ *
+ *  This computse val*abf + vbf
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_netbf_compute(
+  const secp256k1_context* ctx,
+  unsigned char* output,
+  uint64_t val,
+  const unsigned char* vbf,
+  const unsigned char* abf
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Accumulate a net blinding factor
+ *
+ *  Returns 0 if the input is out of range, otherwise 1
+ *  Args:    ctx: a secp256k1 context object.
+ *  In/Out:  acc: initially set to the current state of the accumulator; updated in place
+ *  In:      nbf: the net blinding factor to add to the accumulator
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_netbf_acc(
+    const secp256k1_context* ctx,
+    unsigned char* acc,
+    const unsigned char* nbf
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Negate a(n accumulated) net blinding factor
+ *
+ *  Returns 0 if the input is out of range, otherwise 1
+ *  Args:    ctx: a secp256k1 context object.
+ *  In/Out:  acc: initially set to the bf to negate; changed to the negated version
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_netbf_neg(
+    const secp256k1_context* ctx,
+    unsigned char* output
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+
 /** Sets the final Pedersen blinding factor correctly when the generators themselves
  *  have blinding factors.
  *
@@ -227,7 +279,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_rewind(
  *          proof:  pointer to array to receive the proof, can be up to 5134 bytes. (cannot be NULL)
  *          min_value: constructs a proof where the verifer can tell the minimum value is at least the specified amount.
  *          commit: the commitment being proved.
- *          blind:  32-byte blinding factor used by commit.
+ *          blind:  32-byte blinding factor used by commit. The blinding factor may be all-zeros as long as min_bits is set to 3 or greater.
+ *                  This is a side-effect of the underlying crypto, not a deliberate API choice, but it may be useful when balancing CT transactions.
  *          nonce:  32-byte secret nonce used to initialize the proof (value can be reverse-engineered out of the proof if this secret is known.)
  *          exp:    Base-10 exponent. Digits below above will be made public, but the proof will be made smaller. Allowed range is -1 to 18.
  *                  (-1 is a special case that makes the value public. 0 is the most private.)
@@ -286,6 +339,33 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_info(
   size_t plen
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
 
+/** Returns an upper bound on the size of a rangeproof with the given parameters
+ *
+ * An actual rangeproof may be smaller, for example if the actual value
+ * is less than both the provided `max_value` and 2^`min_bits`, or if
+ * the `exp` parameter to `secp256k1_rangeproof_sign` is set such that
+ * the proven range is compressed. In particular this function will always
+ * overestimate the size of single-value proofs. Also, if `min_value`
+ * is set to 0 in the proof, the result will usually, but not always,
+ * be 8 bytes smaller than if a nonzero value had been passed.
+ *
+ * The goal of this function is to provide a useful upper bound for
+ * memory allocation or fee estimation purposes, without requiring
+ * too many parameters be fixed in advance.
+ *
+ * To obtain the size of largest possible proof, set `max_value` to
+ * `UINT64_MAX` (and `min_bits` to any valid value such as 0).
+ *
+ *  In:       ctx: pointer to a context object
+ *      max_value: the maximum value that might be passed for `value` for the proof.
+ *       min_bits: the value that will be passed as `min_bits` for the proof.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT size_t secp256k1_rangeproof_max_size(
+  const secp256k1_context* ctx,
+  uint64_t max_value,
+  int min_bits
+) SECP256K1_ARG_NONNULL(1);
+
 # ifdef __cplusplus
 }
 # endif

src/modules/ecdsa_adaptor/main_impl.h

@@ -7,8 +7,8 @@
 #ifndef SECP256K1_MODULE_ECDSA_ADAPTOR_MAIN_H
 #define SECP256K1_MODULE_ECDSA_ADAPTOR_MAIN_H
 
-#include "include/secp256k1_ecdsa_adaptor.h"
-#include "modules/ecdsa_adaptor/dleq_impl.h"
+#include "../../../include/secp256k1_ecdsa_adaptor.h"
+#include "dleq_impl.h"
 
 /* (R, R', s', dleq_proof) */
 static int secp256k1_ecdsa_adaptor_sig_serialize(unsigned char *adaptor_sig162, secp256k1_ge *r, secp256k1_ge *rp, const secp256k1_scalar *sp, const secp256k1_scalar *dleq_proof_e, const secp256k1_scalar *dleq_proof_s) {

src/modules/ecdsa_adaptor/tests_impl.h

@@ -1,7 +1,7 @@
 #ifndef SECP256K1_MODULE_ECDSA_ADAPTOR_TESTS_H
 #define SECP256K1_MODULE_ECDSA_ADAPTOR_TESTS_H
 
-#include "include/secp256k1_ecdsa_adaptor.h"
+#include "../../../include/secp256k1_ecdsa_adaptor.h"
 
 void rand_scalar(secp256k1_scalar *scalar) {
     unsigned char buf32[32];

src/modules/ecdsa_s2c/main_impl.h

@@ -7,8 +7,8 @@
 #ifndef SECP256K1_MODULE_ECDSA_S2C_MAIN_H
 #define SECP256K1_MODULE_ECDSA_S2C_MAIN_H
 
-#include "include/secp256k1.h"
-#include "include/secp256k1_ecdsa_s2c.h"
+#include "../../../include/secp256k1.h"
+#include "../../../include/secp256k1_ecdsa_s2c.h"
 
 static void secp256k1_ecdsa_s2c_opening_save(secp256k1_ecdsa_s2c_opening* opening, secp256k1_ge* ge) {
     secp256k1_pubkey_save((secp256k1_pubkey*) opening, ge);

src/modules/ecdsa_s2c/tests_impl.h

@@ -7,7 +7,7 @@
 #ifndef SECP256K1_MODULE_ECDSA_S2C_TESTS_H
 #define SECP256K1_MODULE_ECDSA_S2C_TESTS_H
 
-#include "include/secp256k1_ecdsa_s2c.h"
+#include "../../../include/secp256k1_ecdsa_s2c.h"
 
 static void test_ecdsa_s2c_tagged_hash(void) {
     unsigned char tag_data[14] = "s2c/ecdsa/data";
@@ -78,7 +78,7 @@ void run_s2c_opening_test(void) {
          * points' x-coordinates are uniformly random */
         if (secp256k1_ecdsa_s2c_opening_parse(none, &opening, input) == 1) {
             CHECK(secp256k1_ecdsa_s2c_opening_serialize(none, output, &opening) == 1);
-            CHECK(memcmp(output, input, sizeof(output)) == 0);
+            CHECK(secp256k1_memcmp_var(output, input, sizeof(output)) == 0);
         }
         secp256k1_testrand256(&input[1]);
         /* Set pubkey oddness tag to first bit of input[1] */
@@ -255,7 +255,7 @@ static void test_ecdsa_s2c_fixed_vectors(void) {
         secp256k1_ecdsa_signature signature;
         CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1);
         CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, opening_ser, &s2c_opening) == 1);
-        CHECK(memcmp(test->expected_s2c_opening, opening_ser, sizeof(opening_ser)) == 0);
+        CHECK(secp256k1_memcmp_var(test->expected_s2c_opening, opening_ser, sizeof(opening_ser)) == 0);
         CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, test->s2c_data, &s2c_opening) == 1);
     }
 }
@@ -331,7 +331,7 @@ static void test_ecdsa_anti_exfil_signer_commit(void) {
         const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i];
         CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1);
         CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1);
-        CHECK(memcmp(test->expected_s2c_exfil_opening, buf, sizeof(buf)) == 0);
+        CHECK(secp256k1_memcmp_var(test->expected_s2c_exfil_opening, buf, sizeof(buf)) == 0);
     }
 }
 
@@ -397,7 +397,7 @@ static void test_ecdsa_anti_exfil(void) {
         CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1);
         CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
         CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1);
-        CHECK(memcmp(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0);
+        CHECK(secp256k1_memcmp_var(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0);
     }
 }
 

src/modules/extrakeys/hsort_impl.h

@@ -23,20 +23,20 @@ static SECP256K1_INLINE size_t child2(size_t i) {
     return child1(i)+1;
 }
 
-static SECP256K1_INLINE void swap64(unsigned char *a, size_t i, size_t j, size_t stride) {
+static SECP256K1_INLINE void heap_swap64(unsigned char *a, size_t i, size_t j, size_t stride) {
     unsigned char tmp[64];
     VERIFY_CHECK(stride <= 64);
     memcpy(tmp, a + i*stride, stride);
     memmove(a + i*stride, a + j*stride, stride);
     memcpy(a + j*stride, tmp, stride);
 }
 
-static SECP256K1_INLINE void swap(unsigned char *a, size_t i, size_t j, size_t stride) {
+static SECP256K1_INLINE void heap_swap(unsigned char *a, size_t i, size_t j, size_t stride) {
     while (64 < stride) {
-        swap64(a + (stride - 64), i, j, 64);
+        heap_swap64(a + (stride - 64), i, j, 64);
         stride -= 64;
     }
-    swap64(a, i, j, stride);
+    heap_swap64(a, i, j, stride);
 }
 
 static SECP256K1_INLINE void heap_down(unsigned char *a, size_t i, size_t heap_size, size_t stride,
@@ -71,7 +71,7 @@ static SECP256K1_INLINE void heap_down(unsigned char *a, size_t i, size_t heap_s
         if (child2(i) < heap_size
                 && 0 <= cmp(a + child2(i)*stride, a + child1(i)*stride, cmp_data)) {
             if (0 < cmp(a + child2(i)*stride, a +         i*stride, cmp_data)) {
-                swap(a, i, child2(i), stride);
+                heap_swap(a, i, child2(i), stride);
                 i = child2(i);
             } else {
                 /* At this point we have [child2(i)] >= [child1(i)] and we have
@@ -80,7 +80,7 @@ static SECP256K1_INLINE void heap_down(unsigned char *a, size_t i, size_t heap_s
                 return;
             }
         } else if (0 < cmp(a + child1(i)*stride, a +         i*stride, cmp_data)) {
-            swap(a, i, child1(i), stride);
+            heap_swap(a, i, child1(i), stride);
             i = child1(i);
         } else {
             return;
@@ -106,7 +106,7 @@ static void secp256k1_hsort(void *ptr, size_t count, size_t size,
     }
     for(i = count; 1 < i; --i) {
         /* Extract the largest value from the heap */
-        swap(ptr, 0, i-1, size);
+        heap_swap(ptr, 0, i-1, size);
 
         /* Repair the heap condition */
         heap_down(ptr, 0, i-1, size, cmp, cmp_data);

src/modules/generator/main_impl.h

@@ -9,10 +9,10 @@
 
 #include <stdio.h>
 
-#include "field.h"
-#include "group.h"
-#include "hash.h"
-#include "scalar.h"
+#include "../../field.h"
+#include "../../group.h"
+#include "../../hash.h"
+#include "../../scalar.h"
 
 static void secp256k1_generator_load(secp256k1_ge* ge, const secp256k1_generator* gen) {
     int succeed;

src/modules/generator/tests_impl.h

@@ -10,12 +10,12 @@
 #include <string.h>
 #include <stdio.h>
 
-#include "group.h"
-#include "scalar.h"
-#include "testrand.h"
-#include "util.h"
+#include "../../group.h"
+#include "../../scalar.h"
+#include "../../testrand.h"
+#include "../../util.h"
 
-#include "include/secp256k1_generator.h"
+#include "../../../include/secp256k1_generator.h"
 
 void test_generator_api(void) {
     unsigned char key[32];
@@ -134,7 +134,7 @@ void test_shallue_van_de_woestijne(void) {
             shallue_van_de_woestijne(&ge, &fe);
             secp256k1_ge_to_storage(&ges, &ge);
 
-            CHECK(memcmp(&ges, &results[i * 2 + s - 2], sizeof(secp256k1_ge_storage)) == 0);
+            CHECK(secp256k1_memcmp_var(&ges, &results[i * 2 + s - 2], sizeof(secp256k1_ge_storage)) == 0);
         }
     }
 }
@@ -188,11 +188,11 @@ void test_generator_generate(void) {
         CHECK(secp256k1_generator_generate_blinded(ctx, &gen, v, s));
         secp256k1_generator_load(&ge, &gen);
         secp256k1_ge_to_storage(&ges, &ge);
-        CHECK(memcmp(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0);
+        CHECK(secp256k1_memcmp_var(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0);
         CHECK(secp256k1_generator_generate(ctx, &gen, v));
         secp256k1_generator_load(&ge, &gen);
         secp256k1_ge_to_storage(&ges, &ge);
-        CHECK(memcmp(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0);
+        CHECK(secp256k1_memcmp_var(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0);
     }
 
     /* There is no range restriction on the value, but the blinder must be a
@@ -215,7 +215,7 @@ void test_generator_fixed_vector(void) {
 
     CHECK(secp256k1_generator_parse(ctx, &parse, two_g));
     CHECK(secp256k1_generator_serialize(ctx, result, &parse));
-    CHECK(memcmp(two_g, result, 33) == 0);
+    CHECK(secp256k1_memcmp_var(two_g, result, 33) == 0);
 
     result[0] = 0x0a;
     CHECK(secp256k1_generator_parse(ctx, &parse, result));

src/modules/musig/musig.md

@@ -23,7 +23,7 @@ Therefore, users of the musig module must take great care to make sure of the fo
 # Key Aggregation and (Taproot) Tweaking
 
 Given a set of public keys, the aggregate public key is computed with `secp256k1_musig_pubkey_agg`.
-A (Taproot) tweak can be added to the resulting public key with `secp256k1_xonly_pubkey_tweak_add`.
+A (Taproot) tweak can be added to the resulting public key with `secp256k1_xonly_pubkey_tweak_add` and an ordinary tweak can be added with `secp256k1_ec_pubkey_tweak_add`.
 
 # Signing
 
@@ -32,7 +32,7 @@ Essentially, the protocol proceeds in the following steps:
 
 1. Generate a keypair with `secp256k1_keypair_create` and obtain the xonly public key with `secp256k1_keypair_xonly_pub`.
 2. Call `secp256k1_musig_pubkey_agg` with the xonly pubkeys of all participants.
-3. Optionally add a (Taproot) tweak with `secp256k1_musig_pubkey_tweak_add`.
+3. Optionally add a (Taproot) tweak with `secp256k1_musig_pubkey_xonly_tweak_add` and an ordinary tweak with `secp256k1_musig_pubkey_ec_tweak_add`.
 4. Generate a pair of secret and public nonce with `secp256k1_musig_nonce_gen` and send the public nonce to the other signers.
 5. Someone (not necessarily the signer) aggregates the public nonce with `secp256k1_musig_nonce_agg` and sends it to the signers.
 6. Process the aggregate nonce with `secp256k1_musig_nonce_process`.
@@ -42,10 +42,10 @@ Essentially, the protocol proceeds in the following steps:
 
 The aggregate signature can be verified with `secp256k1_schnorrsig_verify`.
 
-Note that steps 1 to 6 can happen before the message to be signed is known to the signers.
+Note that steps 1 to 5 can happen before the message to be signed is known to the signers.
 Therefore, the communication round to exchange nonces can be viewed as a pre-processing step that is run whenever convenient to the signers.
 This disables some of the defense-in-depth measures that may protect against API misuse in some cases.
-Similarly, the API supports an alternative protocol flow where generating the aggregate key (steps 1 to 3) is allowed to happen after exchanging nonces (steps 4 to 6).
+Similarly, the API supports an alternative protocol flow where generating the aggregate key (steps 1 to 3) is allowed to happen after exchanging nonces (steps 4 to 5).
 
 # Verification
 

src/modules/musig/tests_impl.h

@@ -360,7 +360,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
         secp256k1_musig_pubnonce tmp;
         CHECK(secp256k1_musig_pubnonce_serialize(none, pubnonce_ser, &pubnonce[0]) == 1);
         CHECK(secp256k1_musig_pubnonce_parse(none, &tmp, pubnonce_ser) == 1);
-        CHECK(memcmp(&tmp, &pubnonce[0], sizeof(tmp)) == 0);
+        CHECK(secp256k1_memcmp_var(&tmp, &pubnonce[0], sizeof(tmp)) == 0);
     }
 
     /** Receive nonces and aggregate **/
@@ -414,7 +414,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
         secp256k1_musig_aggnonce tmp;
         CHECK(secp256k1_musig_aggnonce_serialize(none, aggnonce_ser, &aggnonce) == 1);
         CHECK(secp256k1_musig_aggnonce_parse(none, &tmp, aggnonce_ser) == 1);
-        CHECK(memcmp(&tmp, &aggnonce, sizeof(tmp)) == 0);
+        CHECK(secp256k1_memcmp_var(&tmp, &aggnonce, sizeof(tmp)) == 0);
     }
 
     /** Process nonces **/
@@ -444,7 +444,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
     memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
     CHECK(secp256k1_musig_partial_sign(none, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 1);
     /* The secnonce is set to 0 and subsequent signing attempts fail */
-    CHECK(memcmp(&secnonce_tmp, zeros68, sizeof(secnonce_tmp)) == 0);
+    CHECK(secp256k1_memcmp_var(&secnonce_tmp, zeros68, sizeof(secnonce_tmp)) == 0);
     CHECK(secp256k1_musig_partial_sign(none, &partial_sig[0], &secnonce_tmp, &keypair[0], &keyagg_cache, &session) == 0);
     CHECK(ecount == 1);
     memcpy(&secnonce_tmp, &secnonce[0], sizeof(secnonce_tmp));
@@ -496,7 +496,7 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
         secp256k1_musig_partial_sig tmp;
         CHECK(secp256k1_musig_partial_sig_serialize(none, buf, &partial_sig[0]) == 1);
         CHECK(secp256k1_musig_partial_sig_parse(none, &tmp, buf) == 1);
-        CHECK(memcmp(&tmp, &partial_sig[0], sizeof(tmp)) == 0);
+        CHECK(secp256k1_memcmp_var(&tmp, &partial_sig[0], sizeof(tmp)) == 0);
     }
 
     /** Partial signature verification */
@@ -582,10 +582,10 @@ void musig_api_tests(secp256k1_scratch_space *scratch) {
     /** Secret adaptor can be extracted from signature */
     ecount = 0;
     CHECK(secp256k1_musig_extract_adaptor(none, sec_adaptor1, final_sig, pre_sig, nonce_parity) == 1);
-    CHECK(memcmp(sec_adaptor, sec_adaptor1, 32) == 0);
+    CHECK(secp256k1_memcmp_var(sec_adaptor, sec_adaptor1, 32) == 0);
     /* wrong nonce parity */
     CHECK(secp256k1_musig_extract_adaptor(none, sec_adaptor1, final_sig, pre_sig, !nonce_parity) == 1);
-    CHECK(memcmp(sec_adaptor, sec_adaptor1, 32) != 0);
+    CHECK(secp256k1_memcmp_var(sec_adaptor, sec_adaptor1, 32) != 0);
     CHECK(secp256k1_musig_extract_adaptor(none, NULL, final_sig, pre_sig, 0) == 0);
     CHECK(ecount == 1);
     CHECK(secp256k1_musig_extract_adaptor(none, sec_adaptor1, NULL, pre_sig, 0) == 0);
@@ -764,7 +764,7 @@ void scriptless_atomic_swap(secp256k1_scratch_space *scratch) {
     CHECK(secp256k1_musig_partial_sign(ctx, &partial_sig_a[1], &secnonce_a[1], &keypair_a[1], &keyagg_cache_a, &session_a) == 1);
     CHECK(secp256k1_musig_partial_sig_agg(ctx, pre_sig_a, &session_a, partial_sig_a_ptr, 2) == 1);
     CHECK(secp256k1_musig_extract_adaptor(ctx, sec_adaptor_extracted, final_sig_b, pre_sig_b, nonce_parity_b) == 1);
-    CHECK(memcmp(sec_adaptor_extracted, sec_adaptor, sizeof(sec_adaptor)) == 0); /* in real life we couldn't check this, of course */
+    CHECK(secp256k1_memcmp_var(sec_adaptor_extracted, sec_adaptor, sizeof(sec_adaptor)) == 0); /* in real life we couldn't check this, of course */
     CHECK(secp256k1_musig_adapt(ctx, final_sig_a, pre_sig_a, sec_adaptor_extracted, nonce_parity_a) == 1);
     CHECK(secp256k1_schnorrsig_verify(ctx, final_sig_a, msg32_a, sizeof(msg32_a), &agg_pk_a) == 1);
 }
@@ -794,7 +794,7 @@ void sha256_tag_test_internal(secp256k1_sha256 *sha_tagged, unsigned char *tag,
     secp256k1_sha256_write(sha_tagged, buf, 32);
     secp256k1_sha256_finalize(&sha, buf);
     secp256k1_sha256_finalize(sha_tagged, buf2);
-    CHECK(memcmp(buf, buf2, 32) == 0);
+    CHECK(secp256k1_memcmp_var(buf, buf2, 32) == 0);
 }
 
 /* Checks that the initialized tagged hashes initialized have the expected
@@ -904,7 +904,7 @@ void musig_tweak_test(secp256k1_scratch_space *scratch) {
         } else {
             secp256k1_pubkey tmp_key = P[i-1];
             CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &tmp_key, tweak));
-            CHECK(memcmp(&tmp_key, &P[i], sizeof(tmp_key)) == 0);
+            CHECK(secp256k1_memcmp_var(&tmp_key, &P[i], sizeof(tmp_key)) == 0);
         }
         /* Test signing for P[i] */
         musig_tweak_test_helper(&P_xonly[i], sk[0], sk[1], &keyagg_cache);
@@ -1138,7 +1138,7 @@ void musig_test_vectors_noncegen(void) {
         for (j = 0; j < 2; j++) {
             unsigned char k32[32];
             secp256k1_scalar_get_b32(k32, &k[i][j]);
-            CHECK(memcmp(k32, k32_expected[i][j], 32) == 0);
+            CHECK(secp256k1_memcmp_var(k32, k32_expected[i][j], 32) == 0);
         }
     }
 }
@@ -1264,7 +1264,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 1);
         CHECK(!musig_test_is_second_pk(&keyagg_cache, sk));
         CHECK(fin_nonce_parity == 1);
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
     {
        /* This is a test where the aggregate public key point has an _even_ y
@@ -1281,7 +1281,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 0);
         CHECK(musig_test_is_second_pk(&keyagg_cache, sk));
         CHECK(fin_nonce_parity == 0);
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
     {
        /* This is a test where the parity of aggregate public key point (1) is unequal to the
@@ -1297,7 +1297,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 1);
         CHECK(fin_nonce_parity == 0);
         CHECK(!musig_test_is_second_pk(&keyagg_cache, sk));
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
     {
        /* This is a test that includes an xonly public key tweak. */
@@ -1319,7 +1319,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 1);
         CHECK(!musig_test_is_second_pk(&keyagg_cache, sk));
         CHECK(fin_nonce_parity == 1);
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
     {
        /* This is a test that includes an ordinary public key tweak. */
@@ -1341,7 +1341,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 1);
         CHECK(!musig_test_is_second_pk(&keyagg_cache, sk));
         CHECK(fin_nonce_parity == 0);
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
     {
        /* This is a test that includes an ordinary and an x-only public key tweak. */
@@ -1371,7 +1371,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 0);
         CHECK(!musig_test_is_second_pk(&keyagg_cache, sk));
         CHECK(fin_nonce_parity == 0);
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
     {
        /* This is a test with four tweaks: x-only, ordinary, x-only, ordinary. */
@@ -1412,7 +1412,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 0);
         CHECK(!musig_test_is_second_pk(&keyagg_cache, sk));
         CHECK(fin_nonce_parity == 1);
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
     {
        /* This is a test that includes an adaptor. */
@@ -1435,7 +1435,7 @@ void musig_test_vectors_sign(void) {
         CHECK(musig_test_pk_parity(&keyagg_cache) == 1);
         CHECK(!musig_test_is_second_pk(&keyagg_cache, sk));
         CHECK(fin_nonce_parity == 1);
-        CHECK(memcmp(sig, sig_expected, 32) == 0);
+        CHECK(secp256k1_memcmp_var(sig, sig_expected, 32) == 0);
     }
 }
 

src/modules/rangeproof/borromean.h

@@ -8,11 +8,11 @@
 #ifndef _SECP256K1_BORROMEAN_H_
 #define _SECP256K1_BORROMEAN_H_
 
-#include "scalar.h"
-#include "field.h"
-#include "group.h"
-#include "ecmult.h"
-#include "ecmult_gen.h"
+#include "../../scalar.h"
+#include "../../field.h"
+#include "../../group.h"
+#include "../../ecmult.h"
+#include "../../ecmult_gen.h"
 
 int secp256k1_borromean_verify(secp256k1_scalar *evalues, const unsigned char *e0, const secp256k1_scalar *s,
  const secp256k1_gej *pubs, const size_t *rsizes, size_t nrings, const unsigned char *m, size_t mlen);

src/modules/rangeproof/borromean_impl.h

@@ -8,13 +8,13 @@
 #ifndef _SECP256K1_BORROMEAN_IMPL_H_
 #define _SECP256K1_BORROMEAN_IMPL_H_
 
-#include "scalar.h"
-#include "field.h"
-#include "group.h"
-#include "hash.h"
-#include "eckey.h"
-#include "ecmult.h"
-#include "ecmult_gen.h"
+#include "../../scalar.h"
+#include "../../field.h"
+#include "../../group.h"
+#include "../../hash.h"
+#include "../../eckey.h"
+#include "../../ecmult.h"
+#include "../../ecmult_gen.h"
 #include "borromean.h"
 
 #include <limits.h>
@@ -105,7 +105,7 @@ int secp256k1_borromean_verify(secp256k1_scalar *evalues, const unsigned char *e
     }
     secp256k1_sha256_write(&sha256_e0, m, mlen);
     secp256k1_sha256_finalize(&sha256_e0, tmp);
-    return memcmp(e0, tmp, 32) == 0;
+    return secp256k1_memcmp_var(e0, tmp, 32) == 0;
 }
 
 int secp256k1_borromean_sign(const secp256k1_ecmult_gen_context *ecmult_gen_ctx,

src/modules/rangeproof/main_impl.h

@@ -7,11 +7,11 @@
 #ifndef SECP256K1_MODULE_RANGEPROOF_MAIN
 #define SECP256K1_MODULE_RANGEPROOF_MAIN
 
-#include "group.h"
+#include "../../group.h"
 
-#include "modules/rangeproof/pedersen_impl.h"
-#include "modules/rangeproof/borromean_impl.h"
-#include "modules/rangeproof/rangeproof_impl.h"
+#include "pedersen_impl.h"
+#include "borromean_impl.h"
+#include "rangeproof_impl.h"
 
 /** Alternative generator for secp256k1.
  *  This is the sha256 of 'g' after standard encoding (without compression),
@@ -165,6 +165,74 @@ int secp256k1_pedersen_verify_tally(const secp256k1_context* ctx, const secp256k
     return secp256k1_gej_is_infinity(&accj);
 }
 
+int secp256k1_netbf_compute(const secp256k1_context* ctx, unsigned char* output, uint64_t val, const unsigned char* vbf, const unsigned char* abf) {
+    int overflow = 0;
+    secp256k1_scalar vbf_s;
+    secp256k1_scalar abf_s;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(output != NULL);
+    ARG_CHECK(vbf != NULL);
+    ARG_CHECK(abf != NULL);
+    (void) ctx;
+
+    secp256k1_scalar_set_b32(&abf_s, abf, &overflow);
+    if (overflow == 1) {
+        return 0;
+    }
+    secp256k1_scalar_set_u64(&vbf_s, val);
+    secp256k1_scalar_mul(&abf_s, &abf_s, &vbf_s);
+
+    secp256k1_scalar_set_b32(&vbf_s, vbf, &overflow);
+    if (overflow == 1) {
+        return 0;
+    }
+    secp256k1_scalar_add(&vbf_s, &vbf_s, &abf_s);
+
+    secp256k1_scalar_get_b32(output, &vbf_s);
+    return 1;
+}
+
+int secp256k1_netbf_acc(const secp256k1_context* ctx, unsigned char* acc, const unsigned char* nbf) {
+    int overflow = 0;
+    secp256k1_scalar ret_s;
+    secp256k1_scalar nbf_s;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(acc != NULL);
+    ARG_CHECK(nbf != NULL);
+
+    secp256k1_scalar_set_b32(&ret_s, acc, &overflow);
+    if (overflow == 1) {
+        return 0;
+    }
+    secp256k1_scalar_set_b32(&nbf_s, nbf, &overflow);
+    if (overflow == 1) {
+        return 0;
+    }
+
+    secp256k1_scalar_add(&ret_s, &ret_s, &nbf_s);
+    secp256k1_scalar_get_b32(acc, &ret_s);
+    return 1;
+}
+
+int secp256k1_netbf_neg(const secp256k1_context* ctx, unsigned char* acc) {
+    int overflow = 0;
+    secp256k1_scalar ret_s;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(acc != NULL);
+
+    secp256k1_scalar_set_b32(&ret_s, acc, &overflow);
+    if (overflow == 1) {
+        return 0;
+    }
+
+    secp256k1_scalar_negate(&ret_s, &ret_s);
+    secp256k1_scalar_get_b32(acc, &ret_s);
+    return 1;
+}
+
 int secp256k1_pedersen_blind_generator_blind_sum(const secp256k1_context* ctx, const uint64_t *value, const unsigned char* const* generator_blind, unsigned char* const* blinding_factor, size_t n_total, size_t n_inputs) {
     secp256k1_scalar sum;
     secp256k1_scalar tmp;
@@ -304,4 +372,16 @@ int secp256k1_rangeproof_sign(const secp256k1_context* ctx, unsigned char *proof
      proof, plen, min_value, &commitp, blind, nonce, exp, min_bits, value, message, msg_len, extra_commit, extra_commit_len, &genp);
 }
 
+size_t secp256k1_rangeproof_max_size(const secp256k1_context* ctx, uint64_t max_value, int min_bits) {
+    const int val_mantissa = max_value > 0 ? 64 - secp256k1_clz64_var(max_value) : 1;
+    const int mantissa = min_bits > val_mantissa ? min_bits : val_mantissa;
+    const size_t rings = (mantissa + 1) / 2;
+    const size_t npubs = rings * 4 - 2 * (mantissa % 2);
+
+    VERIFY_CHECK(ctx != NULL);
+    (void) ctx;
+
+    return 10 + 32 * (npubs + rings - 1) + 32 + ((rings - 1 + 7) / 8);
+}
+
 #endif

src/modules/rangeproof/pedersen.h

@@ -7,9 +7,9 @@
 #ifndef _SECP256K1_PEDERSEN_H_
 #define _SECP256K1_PEDERSEN_H_
 
-#include "ecmult_gen.h"
-#include "group.h"
-#include "scalar.h"
+#include "../../ecmult_gen.h"
+#include "../../group.h"
+#include "../../scalar.h"
 
 #include <stdint.h>
 

src/modules/rangeproof/pedersen_impl.h

@@ -9,13 +9,13 @@
 
 #include <string.h>
 
-#include "eckey.h"
-#include "ecmult_const.h"
-#include "ecmult_gen.h"
-#include "group.h"
-#include "field.h"
-#include "scalar.h"
-#include "util.h"
+#include "../../eckey.h"
+#include "../../ecmult_const.h"
+#include "../../ecmult_gen.h"
+#include "../../group.h"
+#include "../../field.h"
+#include "../../scalar.h"
+#include "../../util.h"
 
 static void secp256k1_pedersen_scalar_set_u64(secp256k1_scalar *sec, uint64_t value) {
     unsigned char data[32];

src/modules/rangeproof/rangeproof.h

@@ -7,10 +7,10 @@
 #ifndef _SECP256K1_RANGEPROOF_H_
 #define _SECP256K1_RANGEPROOF_H_
 
-#include "scalar.h"
-#include "group.h"
-#include "ecmult.h"
-#include "ecmult_gen.h"
+#include "../../scalar.h"
+#include "../../group.h"
+#include "../../ecmult.h"
+#include "../../ecmult_gen.h"
 
 static int secp256k1_rangeproof_verify_impl(const secp256k1_ecmult_gen_context* ecmult_gen_ctx,
  unsigned char *blindout, uint64_t *value_out, unsigned char *message_out, size_t *outlen, const unsigned char *nonce,

src/modules/rangeproof/rangeproof_impl.h

@@ -7,16 +7,15 @@
 #ifndef _SECP256K1_RANGEPROOF_IMPL_H_
 #define _SECP256K1_RANGEPROOF_IMPL_H_
 
-#include "eckey.h"
-#include "scalar.h"
-#include "group.h"
-#include "rangeproof.h"
-#include "hash_impl.h"
-#include "pedersen_impl.h"
-#include "util.h"
+#include "../../eckey.h"
+#include "../../scalar.h"
+#include "../../group.h"
+#include "../../hash_impl.h"
+#include "../../util.h"
 
-#include "modules/rangeproof/pedersen.h"
-#include "modules/rangeproof/borromean.h"
+#include "pedersen.h"
+#include "rangeproof.h"
+#include "borromean.h"
 
 SECP256K1_INLINE static void secp256k1_rangeproof_pub_expand(secp256k1_gej *pubs,
  int exp, size_t *rsizes, size_t rings, const secp256k1_ge* genp) {
@@ -402,7 +401,7 @@ SECP256K1_INLINE static int secp256k1_rangeproof_rewind_inner(secp256k1_scalar *
         idx = npub + rsizes[rings - 1] - 1 - j;
         secp256k1_scalar_get_b32(tmp, &s[idx]);
         secp256k1_rangeproof_ch32xor(tmp, &prep[idx * 32]);
-        if ((tmp[0] & 128) && (memcmp(&tmp[16], &tmp[24], 8) == 0) && (memcmp(&tmp[8], &tmp[16], 8) == 0)) {
+        if ((tmp[0] & 128) && (secp256k1_memcmp_var(&tmp[16], &tmp[24], 8) == 0) && (secp256k1_memcmp_var(&tmp[8], &tmp[16], 8) == 0)) {
             value = 0;
             for (i = 0; i < 8; i++) {
                 value = (value << 8) + tmp[24 + i];

src/modules/rangeproof/tests_impl.h

@@ -13,11 +13,11 @@
 #include "libsecp256k1-config.h"
 #endif
 
-#include "include/secp256k1_rangeproof.h"
-#include "include/secp256k1_surjectionproof.h"
-#include "modules/rangeproof/borromean.h"
-#include "modules/surjection/surjection_impl.h"
-#include "hash.h"
+#include "../../../include/secp256k1_rangeproof.h"
+#include "../../../include/secp256k1_surjectionproof.h"
+#include "../rangeproof/borromean.h"
+#include "surjection_impl.h"
+#include "../../hash.h"
 
 #ifdef USE_REDUCED_SURJECTION_PROOF_SIZE
 #undef SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS
@@ -243,7 +243,7 @@ int secp256k1_surjectionproof_initialize(const secp256k1_context* ctx, secp256k1
             while (1) {
                 size_t next_input_index;
                 next_input_index = secp256k1_surjectionproof_csprng_next(&csprng, n_input_tags);
-                if (memcmp(&fixed_input_tags[next_input_index], fixed_output_tag, sizeof(*fixed_output_tag)) == 0) {
+                if (secp256k1_memcmp_var(&fixed_input_tags[next_input_index], fixed_output_tag, sizeof(*fixed_output_tag)) == 0) {
                     *input_index = next_input_index;
                     has_output_tag = 1;
                 }
@@ -298,6 +298,10 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
     CHECK(proof->initialized == 1);
 #endif
 
+    n_used_pubkeys = secp256k1_surjectionproof_n_used_inputs(ctx, proof);
+    /* This must be true if the proof was created with surjectionproof_initialize */
+    ARG_CHECK(n_used_pubkeys > 0);
+
     /* Compute secret key */
     secp256k1_scalar_set_b32(&tmps, input_blinding_key, &overflow);
     if (overflow) {
@@ -307,17 +311,21 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
     if (overflow) {
         return 0;
     }
-    /* The only time the input may equal the output is if neither one was blinded in the first place,
-     * i.e. both blinding keys are zero. Otherwise this is a privacy leak. */
-    if (secp256k1_scalar_eq(&tmps, &blinding_key) && !secp256k1_scalar_is_zero(&blinding_key)) {
-        return 0;
+    /* If any input tag is equal to an output tag, verification will fail, because our ring
+     * signature logic would receive a zero-key, which is illegal. This is unfortunate but
+     * it is deployed on Liquid and cannot be fixed without a hardfork. We should review
+     * this at the same time that we relax the max-256-inputs rule. */
+    for (i = 0; i < n_ephemeral_input_tags; i++) {
+        if (secp256k1_memcmp_var(ephemeral_input_tags[i].data, ephemeral_output_tag->data, sizeof(ephemeral_output_tag->data)) == 0) {
+            return 0;
+        }
     }
     secp256k1_scalar_negate(&tmps, &tmps);
     secp256k1_scalar_add(&blinding_key, &blinding_key, &tmps);
 
     /* Compute public keys */
     n_total_pubkeys = secp256k1_surjectionproof_n_total_inputs(ctx, proof);
-    n_used_pubkeys = secp256k1_surjectionproof_n_used_inputs(ctx, proof);
+
     if (n_used_pubkeys > n_total_pubkeys || n_total_pubkeys != n_ephemeral_input_tags) {
         return 0;
     }

src/modules/surjection/main_impl.h

@@ -7,8 +7,8 @@
 #ifndef _SECP256K1_SURJECTION_H_
 #define _SECP256K1_SURJECTION_H_
 
-#include "group.h"
-#include "scalar.h"
+#include "../../group.h"
+#include "../../scalar.h"
 
 SECP256K1_INLINE static int secp256k1_surjection_genmessage(unsigned char *msg32, secp256k1_ge *ephemeral_input_tags, size_t n_input_tags, secp256k1_ge *ephemeral_output_tag);
 

src/modules/surjection/surjection.h

@@ -10,10 +10,10 @@
 #include <assert.h>
 #include <string.h>
 
-#include "eckey.h"
-#include "group.h"
-#include "scalar.h"
-#include "hash.h"
+#include "../../eckey.h"
+#include "../../group.h"
+#include "../../scalar.h"
+#include "../../hash.h"
 
 SECP256K1_INLINE static void secp256k1_surjection_genmessage(unsigned char *msg32, const secp256k1_generator *ephemeral_input_tags, size_t n_input_tags, const secp256k1_generator *ephemeral_output_tag) {
     /* compute message */

src/modules/surjection/surjection_impl.h

@@ -7,11 +7,11 @@
 #ifndef SECP256K1_MODULE_SURJECTIONPROOF_TESTS
 #define SECP256K1_MODULE_SURJECTIONPROOF_TESTS
 
-#include "testrand.h"
-#include "group.h"
-#include "include/secp256k1_generator.h"
-#include "include/secp256k1_rangeproof.h"
-#include "include/secp256k1_surjectionproof.h"
+#include "../../testrand.h"
+#include "../../group.h"
+#include "../../../include/secp256k1_generator.h"
+#include "../../../include/secp256k1_rangeproof.h"
+#include "../../../include/secp256k1_surjectionproof.h"
 
 static void test_surjectionproof_api(void) {
     unsigned char seed[32];
@@ -173,31 +173,45 @@ static void test_surjectionproof_api(void) {
     CHECK(secp256k1_surjectionproof_verify(vrfy, &proof, ephemeral_input_tags, n_inputs, NULL) == 0);
     CHECK(ecount == 16);
 
+    /* Test how surjectionproof_generate fails when the proof was not created
+     * with surjectionproof_initialize */
+    ecount = 0;
+    CHECK(secp256k1_surjectionproof_generate(sign, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1);
+    {
+        secp256k1_surjectionproof tmp_proof = proof;
+        tmp_proof.n_inputs = 0;
+        CHECK(secp256k1_surjectionproof_generate(sign, &tmp_proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+    }
+    CHECK(ecount == 1);
+
+    CHECK(secp256k1_surjectionproof_generate(sign, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1);
+
     /* Check serialize */
+    ecount = 0;
     serialized_len = sizeof(serialized_proof);
     CHECK(secp256k1_surjectionproof_serialize(none, serialized_proof, &serialized_len, &proof) != 0);
-    CHECK(ecount == 16);
+    CHECK(ecount == 0);
     serialized_len = sizeof(serialized_proof);
     CHECK(secp256k1_surjectionproof_serialize(none, NULL, &serialized_len, &proof) == 0);
-    CHECK(ecount == 17);
+    CHECK(ecount == 1);
     serialized_len = sizeof(serialized_proof);
     CHECK(secp256k1_surjectionproof_serialize(none, serialized_proof, NULL, &proof) == 0);
-    CHECK(ecount == 18);
+    CHECK(ecount == 2);
     serialized_len = sizeof(serialized_proof);
     CHECK(secp256k1_surjectionproof_serialize(none, serialized_proof, &serialized_len, NULL) == 0);
-    CHECK(ecount == 19);
+    CHECK(ecount == 3);
 
     serialized_len = sizeof(serialized_proof);
     CHECK(secp256k1_surjectionproof_serialize(none, serialized_proof, &serialized_len, &proof) != 0);
     /* Check parse */
     CHECK(secp256k1_surjectionproof_parse(none, &proof, serialized_proof, serialized_len) != 0);
-    CHECK(ecount == 19);
+    CHECK(ecount == 3);
     CHECK(secp256k1_surjectionproof_parse(none, NULL, serialized_proof, serialized_len) == 0);
-    CHECK(ecount == 20);
+    CHECK(ecount == 4);
     CHECK(secp256k1_surjectionproof_parse(none, &proof, NULL, serialized_len) == 0);
-    CHECK(ecount == 21);
+    CHECK(ecount == 5);
     CHECK(secp256k1_surjectionproof_parse(none, &proof, serialized_proof, 0) == 0);
-    CHECK(ecount == 21);
+    CHECK(ecount == 5);
 
     secp256k1_context_destroy(none);
     secp256k1_context_destroy(sign);
@@ -524,6 +538,31 @@ void test_bad_parse(void) {
     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0);
 }
 
+void test_input_eq_output(void) {
+    secp256k1_surjectionproof proof;
+    secp256k1_fixed_asset_tag fixed_tag;
+    secp256k1_generator ephemeral_tag;
+    unsigned char blinding_key[32];
+    unsigned char entropy[32];
+    size_t input_index;
+
+    secp256k1_testrand256(fixed_tag.data);
+    secp256k1_testrand256(blinding_key);
+    secp256k1_testrand256(entropy);
+
+    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, &fixed_tag, 1, 1, &fixed_tag, 100, entropy) == 1);
+    CHECK(input_index == 0);
+
+    /* Generation should fail */
+    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_tag, fixed_tag.data, blinding_key));
+    CHECK(!secp256k1_surjectionproof_generate(ctx, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key));
+
+    /* ...even when the blinding key is zero */
+    memset(blinding_key, 0, 32);
+    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_tag, fixed_tag.data, blinding_key));
+    CHECK(!secp256k1_surjectionproof_generate(ctx, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key));
+}
+
 void test_fixed_vectors(void) {
     const unsigned char tag0_ser[] = {
         0x0a,
@@ -672,6 +711,7 @@ void test_fixed_vectors(void) {
 
 void run_surjection_tests(void) {
     test_surjectionproof_api();
+    test_input_eq_output();
     test_fixed_vectors();
 
     test_input_selection(0);

src/modules/surjection/tests_impl.h

@@ -7,8 +7,8 @@
 #ifndef SECP256K1_MODULE_WHITELIST_MAIN
 #define SECP256K1_MODULE_WHITELIST_MAIN
 
-#include "include/secp256k1_whitelist.h"
-#include "modules/whitelist/whitelist_impl.h"
+#include "../../../include/secp256k1_whitelist.h"
+#include "whitelist_impl.h"
 
 #define MAX_KEYS SECP256K1_WHITELIST_MAX_N_KEYS  /* shorter alias */
 

src/modules/whitelist/main_impl.h

@@ -7,7 +7,7 @@
 #ifndef SECP256K1_MODULE_WHITELIST_TESTS
 #define SECP256K1_MODULE_WHITELIST_TESTS
 
-#include "include/secp256k1_whitelist.h"
+#include "../../../include/secp256k1_whitelist.h"
 
 void test_whitelist_end_to_end_internal(const unsigned char *summed_seckey, const unsigned char *online_seckey, const secp256k1_pubkey *online_pubkeys, const secp256k1_pubkey *offline_pubkeys, const secp256k1_pubkey *sub_pubkey, const size_t signer_i, const size_t n_keys) {
         unsigned char serialized[32 + 4 + 32 * SECP256K1_WHITELIST_MAX_N_KEYS] = {0};