Comparing changes

I claim the check can be removed but I don't want to touch this stable and well-tested code. On the way, we fix grammar in another comment.

…normalize) `random_fe_non_zero` contains a loop iteration limit that ensures that we abort if `random_fe` ever yielded zero more than ten times in a row. This construct was first introduced in PR #19 (commit 09ca4f3) for random non-square field elements and was later refactored into the non-zero helper in PR #25 (commit 6d6102f). The copy-over to the exhaustive tests happened recently in PR #1118 (commit 0f86420). This case seems to be practically irrelevant and I'd argue for keeping things simple and removing it; if there's really a worry that the test's random generator is heavily biased towards certain values or value ranges then there should consequently be checks at other places too (e.g. directly in `random_fe` for 256-bit values that repeatedly overflow, i.e. >= p). Also, the _fe_normalize call is not needed and can be removed, as the result of `random_fe` is already normalized.

…` helpers)

This test tested whether setting the callback works correctly which should be tested in the context tests.

Co-authored-by: Tim Ruffing <crypto@timruffing.de>

This commit also explicitly initializes shortpubkey. For some reason, removing surrounding, unrelated lines results in gcc warnings when configured with --enable-ctime-tests=no --with-valgrind=no.

9b118bc release cleanup: bump version after 0.4.0 (Jonas Nick) Pull request description: based on #1415 ACKs for top commit: sipa: ACK 9b118bc hebasto: ACK 9b118bc real-or-random: ACK 9b118bc Tree-SHA512: 76df87c41bdc3379df4e88619645f5110010d7713ebe20bad3e7c99472bd62b90f4bd3c6b558ad5a23119acc4734e39383d96a9800e4a43dfadc086ef66fd0ab

…EGAL_VOID 7030364 tests: add CHECK_ERROR_VOID and use it in scratch tests (Jonas Nick) f8d7ea6 tests: Replace counting_illegal_callbacks with CHECK_ILLEGAL_VOID (Jonas Nick) a1d52e3 tests: remove unnecessary test in run_ec_pubkey_parse_test (Jonas Nick) 875b0ad tests: remove unnecessary set_illegal_callback (Jonas Nick) Pull request description: Fixes #1167 ACKs for top commit: siv2r: reACK 7030364 (tests pass locally) real-or-random: reACK 7030364 Tree-SHA512: 0ca1f1c92a1c3a93b412433e53e882be56f3c7c55d4cbf12683ab7d9b8a916231b6508270099bfed0bfaa9d0af19cb8fdf0fe3274112ab48d33a0bd2356f2fa7

b0f7bfe doc: Do not mention soname in CHANGELOG.md "ABI Compatibility" section (Hennadii Stepanov) bd9d98d doc: Align documented scripts with CI ones (Hennadii Stepanov) Pull request description: ACKs for top commit: sipa: ACK b0f7bfe real-or-random: ACK b0f7bfe Tree-SHA512: 99cbc065cf9610923a863bac34e607ce4f2b1fe71fc32cb96fed33203e42c914ef29924cd9eade89859f63fdd95ffb214c5a2a1066bfca9c202e85aec5f7c16e

This change allows downstream projects to use pkg-config to search for the libsecp256k1 library that is built with CMake.

421d848 ci: Align Autotools/CMake `CI_INSTALL` directory names (Hennadii Stepanov) 9f005c6 cmake: Install `libsecp256k1.pc` file (Hennadii Stepanov) Pull request description: This PR allows downstream projects to use pkg-config to search for the libsecp256k1 library that is built with CMake. Addressed #1419 (comment): > We could just ship the pkg-config file also in CMake builds. ACKs for top commit: real-or-random: ACK 421d848 I compared the generated pc files and they match in autotools and CMake Tree-SHA512: 8e54eb7c76bc727ab18715258c06cc2a419c6c04892a2bd7bfe34392f9a3223f673ff84d2d21b00b3c222b357f02296ec49c872532d98ea0a2f17ef1ed6b6ac1

https://github.com/docker/build-push-action/releases/tag/v5.0.0 https://github.com/docker/setup-buildx-action/releases/tag/v3.0.0

d9d80fd ci: Bump major versions for docker actions (Hennadii Stepanov) Pull request description: See: - https://github.com/docker/build-push-action/releases/tag/v5.0.0 - https://github.com/docker/setup-buildx-action/releases/tag/v3.0.0 ACKs for top commit: real-or-random: ACK d9d80fd Tree-SHA512: b1266e46cd02f8e893b4ce3b4bf51f7fb2ea7c6ae54a5c24a4bc5df4f6e97e99afaf90cf598d4321e8b83a250ba5fd7d43c34d53a8cc71f70f6c6e05cc973d6f

…and unneeded normalize) c45b7c4 refactor: introduce testutil.h (deduplicate `random_fe_`, `ge_equals_` helpers) (Sebastian Falbesoner) dc55141 tests: simplify `random_fe_non_zero` (remove loop limit and unneeded normalize) (Sebastian Falbesoner) Pull request description: `random_fe_non_zero` contains a loop iteration limit that ensures that we abort if `random_fe` ever yielded zero more than ten times in a row. This construct was first introduced in PR #19 (commit 09ca4f3) for random non-square field elements and was later refactored into the non-zero helper in PR #25 (commit 6d6102f). The copy-over to the exhaustive tests happened recently in PR #1118 (commit 0f86420). This case seems to be practically irrelevant and I'd argue for keeping things simple and removing it (which was already suggested in #1118 (comment)); if there's really a worry that the test's random generator is heavily biased towards certain values or value ranges then there should consequently be checks at other places too (e.g. directly in `random_fe` for 256-bit values that repeatedly overflow, i.e. >= p). Also, the _fe_normalize call is not needed and can be removed, as the result of `random_fe` is already normalized. ACKs for top commit: real-or-random: utACK c45b7c4 siv2r: ACK `c45b7c4` (reviewed the changes and tests for both the commits passed locally). Tree-SHA512: 4ffa66dd0b8392d7d0083a71e7b0682ad18f9261fd4ce8548c3059b497d3462db97e16114fded9787661ca447a877a27f5b996bd7d47e6f91c4454079d28a8ac

Co-authored-by: Tim Ruffing <crypto@timruffing.de>

fa4d6c7 ci/cirrus: Add native ARM64 persistent workers (MarcoFalke) 2262d0e ci/cirrus: Bring back skeleton .cirrus.yml without jobs (Tim Ruffing) Pull request description: ACKs for top commit: real-or-random: ACK fa4d6c7 hebasto: re-ACK fa4d6c7, only last two commits have been squashed since my recent [review](#1426 (review)). Tree-SHA512: d1fee99d54a41a4126f7eb72695a56137c925dc9ce7cd692a60ea1262ac0789bbd6aa4e4dfc030f0d97d06aeeae0724a5f2d794a85ff533c6cf3cd215f6a4b7a

We're not solely using cirrus anymore and github already displays the CI status at a different location.

5dab0ba README: remove CI badge (Jonas Nick) Pull request description: ACKs for top commit: sipa: utACK 5dab0ba real-or-random: utACK 5dab0ba Tree-SHA512: 56730fa8067cc48b8e5af6fc21b0cd6c47f615c5ebba9edcf29ca5eaf7b2359662a9af219612e80688d8f8939649c7c3c26136c0442ba47d56251a0d92cf984a

Co-authored-by: Jonas Nick <jonasd.nick@gmail.com> Co-authored-by: Tim Ruffing <crypto@timruffing.de>

* add test case for a=infinity The corresponding ecmult_const branch was not tested before this commit. * add test for edge cases

Based on the surrounding asserts, 112 bits before this line, and 61 bits after this line, this assertion should be 113 bits. Notably the commensurate line in secp256k1_fe_sqr_inner is correctly assert to be 113 bits.

355bbdf Add changelog entry for signed-digit ecmult_const algorithm (Pieter Wuille) 21f49d9 Remove unused secp256k1_scalar_shr_int (Pieter Wuille) 115fdc7 Remove unused secp256k1_wnaf_const (Pieter Wuille) aa9f3a3 ecmult_const: add/improve tests (Jonas Nick) 4d16e90 Signed-digit based ecmult_const algorithm (Pieter Wuille) ba523be make SECP256K1_SCALAR_CONST reduce modulo exhaustive group order (Pieter Wuille) 2140da9 Add secp256k1_scalar_half for halving scalars (+ tests/benchmarks). (Pieter Wuille) Pull request description: Using some insights learned from #1058, this replaces the fixed-wnaf ecmult_const algorithm with a signed-digit based one. Conceptually both algorithms are very similar, in that they boil down to summing precomputed odd multiples of the input points. Practically however, the new algorithm is simpler because it's just using scalar operations, rather than relying on wnaf machinery with skew terms to guarantee odd multipliers. The idea is that we can compute $q \cdot A$ as follows: * Let $s = f(q)$, for some function $f()$. * Compute $(s_1, s_2)$ such that $s = s_1 + \lambda s_2$, using `secp256k1_scalar_lambda_split`. * Let $v_1 = s_1 + 2^{128}$ and $v_2 = s_2 + 2^{128}$ (such that the $v_i$ are positive and $n$ bits long). * Computing the result as $$\sum_{i=0}^{n-1} (2v_1[i]-1) 2^i A + \sum_{i=0}^{n-1} (2v_2[i]-1) 2^i \lambda A$$ where $x[i]$ stands for the *i*'th bit of $x$, so summing positive and negative powers of two times $A$, based on the bits of $v_1.$ The comments in `ecmult_const_impl.h` show that if $f(q) = (q + (1+\lambda)(2^n - 2^{129} - 1))/2 \mod n$, the result will equal $q \cdot A$. This last step can be performed in groups of multiple bits at once, by looking up entries in a precomputed table of odd multiples of $A$ and $\lambda A$, and then multiplying by a power of two before proceeding to the next group. The result is slightly faster (I measure ~2% speedup), but significantly simpler as it only uses scalar arithmetic to determine the table lookup values. The speedup is due to the fact that no skew corrections at the end are needed, and less overhead to determine table indices. The precomputed table sizes are also made independent from the `ecmult` ones, after observing that the optimal table size is bigger here (which also gives a small speedup). ACKs for top commit: jonasnick: ACK 355bbdf siv2r: ACK 355bbdf real-or-random: ACK 355bbdf Tree-SHA512: 13db572cb7f9be00bf0931c65fcd8bc8b5545be86a8c8700bd6a79ad9e4d9e5e79e7f763f92ca6a91d9717a355f8162204b0ea821b6ae99d58cb400497ddc656

8185e72 ci: Ignore internal errors in snapshot compilers (Hennadii Stepanov) Pull request description: It was discussed on today's IRC meeting. ACKs for top commit: real-or-random: ACK 8185e72 Tree-SHA512: 0f41ca8303bd3d6efefcd3a544c7bd7dfcf464c57c779c876da4a77cacd262e6c963449d493fdf5a641b0d10b655c8c67fe8a147145b6533328d7bf5344313e1

With this in place, we no-longer see warnings like the following: ```bash /usr/lib/gcc-cross/arm-linux-gnueabihf/12/../../../../arm-linux-gnueabihf/bin/ld: warning: field_10x26_arm.o: missing .note.GNU-stack section implies executable stack /usr/lib/gcc-cross/arm-linux-gnueabihf/12/../../../../arm-linux-gnueabihf/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ``` Should close #1434.

These temporaries seem to been inadvertently changed to signed during a refactoring. Generally, bit shifting is frowned upon for signed values.

These changes bring the checks to the same values used at the corresponding positions in secp256k1_fe_sqr_inner.

…_inner 1027135 Return temporaries to being unsigned in secp256k1_fe_sqr_inner (roconnor-blockstream) Pull request description: These temporaries seem to been inadvertently changed to signed during a refactoring. Generally, bit shifting is frowned upon for signed values. ACKs for top commit: sipa: utACK 1027135 real-or-random: utACK 1027135 Tree-SHA512: a9fefe4b146163209662cd435422beb3c9561eb9e83110454184f70df2292992f39ec1971143428e039a80cad2f6285db74de2f059e877ad8756ff739269b67a

33dc7e4 asm: add .note.GNU-stack section for non-exec stack (fanquake) Pull request description: With this in place, we no-longer see warnings like the following: ```bash /usr/lib/gcc-cross/arm-linux-gnueabihf/12/../../../../arm-linux-gnueabihf/bin/ld: warning: field_10x26_arm.o: missing .note.GNU-stack section implies executable stack /usr/lib/gcc-cross/arm-linux-gnueabihf/12/../../../../arm-linux-gnueabihf/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ``` Should close #1434. ACKs for top commit: sipa: utACK 33dc7e4 real-or-random: utACK 33dc7e4 Tree-SHA512: f75ded8d971f54d1e871bcc4d815ba367b3e154eea2f18309ecaf9053e22f986bfffcf28418367f8055b65a5a0b245fee045adfcb63a2196df5e2f3aa6c97b89

Widely available versions of GCC and Clang beat our field asm on -O2. In particular, GCC 10.5.0, which is Bitcoin Core's current compiler for official x86_64 builds, produces code that is > 20% faster for fe_mul and > 10% faster for signature verification (see #726). These are the alternatives to this PR: We could replace our current asm with the fastest compiler output that we can find. This is potentially faster, but it has multiple drawbacks: - It's more coding work because it needs detailed benchmarks (e.g., with many compiler/options). - It's more review work because we need to deal with inline asm (including clobbers etc.) and there's a lack of experts reviewers in this area. - It's not unlikely that we'll fall behind again in a few compiler versions, and then we have to deal with this again, i.e., redo the benchmarks. Given our history here, I doubt that we'll revolve this timely. We could change the default of the asm build option to off. But this will also disable the scalar asm, which is still faster. We could split the build option into two separate options for field and scalar asm and only disable the field asm by default. But this adds complexity to the build and to the test matrix. My conclusion is that this PR gets the low-hanging fruit in terms of performance. It simplifies our code significantly. It's clearly an improvement, and it's very easy to review. Whether re-introducing better asm (whether from a compiler or from CryptOpt) is worth the hassle can be evaluated separately, and should not hold up this improvement. Solves #726.

because we don't know whether it's an optimization.

1ddd76a bench: add --help option to bench_internal (Sebastian Falbesoner) Pull request description: While coming up with commands for running the benchmarks for issue #726 (comment), I noticed that in contrast to `bench{_ecmult}`, `bench_internal` doesn't have a help option yet and figured it would be nice to have one. A comparable past PR is #1008. Benchmark categories appear in the same order as they are executed, the concrete benchmark names in parantheses per category are listed in alphabetical order. ACKs for top commit: real-or-random: utACK 1ddd76a siv2r: ACK 1ddd76a, tested the `--help` option locally, and it works as expected. Tree-SHA512: d117641a5f25a7cbf83881f3acceae99624528a0cbb2405efdbe1a3a2762b4d6b251392e954aaa32f6771069d31143743770fccafe198084c12258dedb0856fc

dcdda31 Tighten secp256k1_fe_mul_inner's VERIFY_BITS checks (Russell O'Connor) 8e2a5fe correct assertion for secp256k1_fe_mul_inner (roconnor-blockstream) Pull request description: Based on the surrounding asserts, 112 bits before this line, and 61 bits after this line, this assertion should be 113 bits. Notably the commensurate line in secp256k1_fe_sqr_inner is correctly assert to be 113 bits. ACKs for top commit: real-or-random: ACK dcdda31 tested with asm disabled Tree-SHA512: c35170e37d9a6d1413dd625032028129ab2eccee7da86697ab9641b68ad78efd7251953d51e7acaefd14888d3fd61877f9f05349c44f6fc0133ce9b3921b0e1a

As suggested in issue #1381, this will make things simpler and improve code readability, as we don't need to force omitting of evaluations on a case-by-case basis anymore and hence can remove lots of `#ifdef VERIFY`/`#endif` lines (see next commit). Plus, VERIFY_CHECK behaves now identical in both non-VERIFY and coverage mode, making the latter not special anymore and hopefully decreasing maintenance burden. The idea of "side-effect safety" is given up. Note that at two places in the ellswift module void-casts of return values have to be inserted for non-VERIFY builds, in order to avoid "variable ... set but not used [-Wunused-but-set-variable]" warnings.

Now that the `VERIFY_CHECK` compiles to empty in non-VERIFY mode, blocks that only consist of these macros don't need surrounding `#ifdef VERIFY` conditions anymore. At some places intentional blank lines are inserted for grouping and better readadbility.

By providing an uppercase variant of these verification functions, it is better visible that it is test code and surrounding `#ifdef VERIFY` blocks can be removed (if there is no other code around that could remain in production mode), as they don't serve their purpose any more. At some places intentional blank lines are inserted for grouping and better readadbility.

By providing an uppercase variant of these verification functions, it is better visible that it is test code.

Commits on Apr 26, 2023

cmake: Add SECP256K1_LATE_CFLAGS configure option

hebasto committed Apr 26, 2023

View commit details

Copy full SHA for 42f8c51

Browse repository at this point

42f8c51

Commits on Sep 5, 2023

ci/cirrus: Bring back skeleton .cirrus.yml without jobs

real-or-random committed Sep 5, 2023

View commit details

Copy full SHA for 2262d0e

Browse repository at this point

2262d0e

Commits on Oct 22, 2023

README: remove CI badge

We're not solely using cirrus anymore and github already displays the CI status at a different location.

jonasnick committed Oct 22, 2023

View commit details

Copy full SHA for 5dab0ba

Browse repository at this point

5dab0ba

-Original file line number
+Diff line change
@@ -0,0 +1,104 @@
+    env:
+      ### cirrus config
+      CIRRUS_CLONE_DEPTH: 1
+      ### compiler options
+      HOST:
+      WRAPPER_CMD:
+      # Specific warnings can be disabled with -Wno-error=foo.
+      # -pedantic-errors is not equivalent to -Werror=pedantic and thus not implied by -Werror according to the GCC manual.
+      WERROR_CFLAGS: -Werror -pedantic-errors
+      MAKEFLAGS: -j4
+      BUILD: check
+      ### secp256k1 config
+      ECMULTWINDOW: 15
+      ECMULTGENKB: 22
+      ASM: no
+      WIDEMUL: auto
+      WITH_VALGRIND: yes
+      EXTRAFLAGS:
+      ### secp256k1 modules
+      EXPERIMENTAL: no
+      ECDH: no
+      RECOVERY: no
+      EXTRAKEYS: no
+      SCHNORRSIG: no
+      MUSIG: no
+      ELLSWIFT: no
+      ### test options
+      SECP256K1_TEST_ITERS: 64
+      BENCH: yes
+      SECP256K1_BENCH_ITERS: 2
+      CTIMETESTS: yes
+      SYMBOL_CHECK: yes
+      VIRTUAL_ENV: /root/venv
+      # Compile and run the tests
+      EXAMPLES: yes
+    cat_logs_snippet: &CAT_LOGS
+      always:
+        cat_tests_log_script:
+          - cat tests.log || true
+        cat_noverify_tests_log_script:
+          - cat noverify_tests.log || true
+        cat_exhaustive_tests_log_script:
+          - cat exhaustive_tests.log || true
+        cat_ctime_tests_log_script:
+          - cat ctime_tests.log || true
+        cat_bench_log_script:
+          - cat bench.log || true
+        cat_config_log_script:
+          - cat config.log || true
+        cat_test_env_script:
+          - cat test_env.log || true
+        cat_ci_env_script:
+          - env
+    linux_arm64_container_snippet: &LINUX_ARM64_CONTAINER
+      env_script:
+        - export PATH="$VIRTUAL_ENV/bin:$PATH"
+        - env | tee /tmp/env
+      build_script:
+        - DOCKER_BUILDKIT=1 docker build --file "ci/linux-debian.Dockerfile" --tag="ci_secp256k1_arm"
+        - docker image prune --force  # Cleanup stale layers
+      test_script:
+        - docker run --rm --mount "type=bind,src=./,dst=/ci_secp256k1" --env-file /tmp/env --replace --name "ci_secp256k1_arm" "ci_secp256k1_arm" bash -c "cd /ci_secp256k1/ && ./ci/ci.sh"
+    task:
+      name: "ARM64: Linux (Debian stable)"
+      persistent_worker:
+        labels:
+          type: arm64
+      env:
+        ECDH: yes
+        RECOVERY: yes
+        EXTRAKEYS: yes
+        SCHNORRSIG: yes
+        MUSIG: yes
+        ELLSWIFT: yes
+      matrix:
+         # Currently only gcc-snapshot, the other compilers are tested on GHA with QEMU
+         - env: { CC: 'gcc-snapshot' }
+      << : *LINUX_ARM64_CONTAINER
+      << : *CAT_LOGS
+    task:
+      name: "ARM64: Linux (Debian stable), Valgrind"
+      persistent_worker:
+        labels:
+          type: arm64
+      env:
+        ECDH: yes
+        RECOVERY: yes
+        EXTRAKEYS: yes
+        SCHNORRSIG: yes
+        MUSIG: yes
+        ELLSWIFT: yes
+        WRAPPER_CMD: 'valgrind --error-exitcode=42'
+        SECP256K1_TEST_ITERS: 2
+      matrix:
+         - env: { CC: 'gcc' }
+         - env: { CC: 'clang' }
+         - env: { CC: 'gcc-snapshot' }
+         - env: { CC: 'clang-snapshot' }
+      << : *LINUX_ARM64_CONTAINER
+      << : *CAT_LOGS

-Original file line number
+Diff line change
@@ @@ -16,7 +16,7 @@ runs: @@
             cat valgrind_fingerprint
           shell: bash
-        - uses: actions/cache@v3
+        - uses: actions/cache@v4
           id: cache
           with:
             path: ${{ env.CI_HOMEBREW_CELLAR_VALGRIND }}

-Original file line number
+Diff line change
@@ -0,0 +1,34 @@
+    name: "Print logs"
+    description: "Print the log files produced by ci/ci.sh"
+    runs:
+      using: "composite"
+      steps:
+        - shell: bash
+          run: |
+            # Print the log files produced by ci/ci.sh
+            # Helper functions
+            group() {
+                title=$1
+                echo "::group::$title"
+            }
+            endgroup() {
+                echo "::endgroup::"
+            }
+            cat_file() {
+                file=$1
+                group "$file"
+                cat "$file"
+                endgroup
+            }
+            # Print all *.log files
+            shopt -s nullglob
+            for file in *.log; do
+                cat_file "$file"
+            done
+            # Print environment
+            group "CI env"
+            env
+            endgroup

-Original file line number
+Diff line change
@@ @@ -14,9 +14,9 @@ inputs: @@
     runs:
       using: "composite"
       steps:
-        - uses: docker/setup-buildx-action@v2
+        - uses: docker/setup-buildx-action@v3
-        - uses: docker/build-push-action@v4
+        - uses: docker/build-push-action@v5
           id: main_builder
           continue-on-error: true
           with:
@@ @@ -26,7 +26,7 @@ runs: @@
             load: true
             cache-from: type=gha
-        - uses: docker/build-push-action@v4
+        - uses: docker/build-push-action@v5
           id: retry_builder
           if: steps.main_builder.outcome == 'failure'
           with:
@@ @@ -36,6 +36,11 @@ runs: @@
             load: true
             cache-from: type=gha
+        - # Workaround for https://github.com/google/sanitizers/issues/1614 .
+          # The underlying issue has been fixed in clang 18.1.3.
+          run: sudo sysctl -w vm.mmap_rnd_bits=28
+          shell: bash
         - # Tell Docker to pass environment variables in `env` into the container.
           run: >
             docker run \

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Oct 17, 2021

Commits on Apr 26, 2023

Commits on Aug 17, 2023

Commits on Sep 4, 2023

Commits on Sep 5, 2023

Commits on Sep 7, 2023

Commits on Sep 12, 2023

Commits on Sep 13, 2023

Commits on Sep 14, 2023

Commits on Sep 20, 2023

Commits on Oct 22, 2023

Commits on Oct 23, 2023

Commits on Nov 4, 2023

Commits on Nov 6, 2023

Commits on Nov 7, 2023

Commits on Nov 8, 2023

Commits on Nov 13, 2023

Commits on Nov 14, 2023

Commits on Nov 16, 2023

Commits on Nov 24, 2023

Commits on Nov 27, 2023

Commits on Nov 30, 2023

Commits on Dec 1, 2023

There are no files selected for viewing