Squashed 'src/secp256k1/' changes from 3967d96..efad350

efad350 Merge bitcoin#906: Use modified divsteps with initial delta=1/2 for constant-time
cc2c09e Merge bitcoin#918: Clean up configuration in gen_context
0706796 add ECMULT_GEN_PREC_BITS to basic_config.h
a3aa262 gen_context: Don't include basic-config.h
be0609f Add unit tests for edge cases with delta=1/2 variant of divsteps
cd393ce Optimization: only do 59 hddivsteps per iteration instead of 62
277b224 Use modified divsteps with initial delta=1/2 for constant-time
376ca36 Fix typo in explanation
1e5d50f Merge bitcoin#889: fix uninitialized read in tests
c083cc6 Merge bitcoin#903: Make argument of fe_normalizes_to_zero{_var} const
6e89853 Merge bitcoin#907: changed import to use brackets <> for openssl
4504472 changed import to use brackets <> for openssl as they are not local to the project
26de4df Merge bitcoin#831: Safegcd inverses, drop Jacobi symbols, remove libgmp
23c3fb6 Make argument of fe_normalizes_to_zero{_var} const
24ad04f Make scalar_inverse{,_var} benchmark scale with SECP256K1_BENCH_ITERS
ebc1af7 Optimization: track f,g limb count and pass to new variable-time update_fg_var
b306935 Optimization: use formulas instead of lookup tables for cancelling g bits
9164a1b Optimization: special-case zero modulus limbs in modinv64
1f233b3 Remove num/gmp support
20448b8 Remove unused Jacobi symbol support
5437e7b Remove unused scalar_sqr
aa9cc52 Improve field/scalar inverse tests
1e0e885 Make field/scalar code use the new modinv modules for inverses
436281a Move secp256k1_fe_inverse{_var} to per-impl files
aa404d5 Move secp256k1_scalar_{inverse{_var},is_even} to per-impl files
08d5496 Improve bounds checks in modinv modules
151aac0 Add tests for modinv modules
d8a92fc Add extensive comments on the safegcd algorithm and implementation
8e415ac Add safegcd based modular inverse modules
de0a643 Add secp256k1_ctz{32,64}_var functions
4c3ba88 Merge bitcoin#901: ci: Switch all Linux builds to Debian and more improvements
9361f36 ci: Select number of parallel make jobs depending on CI environment
28eccdf ci: Split output of logs into multiple sections
c7f754f ci: Run PRs on merge result instead of on the source branch
b994a8b ci: Print information about binaries using "file"
f24e122 ci: Switch all Linux builds to Debian
ebdba03 Merge bitcoin#891: build: Add workaround for automake 1.13 and older
3a8b47b Merge bitcoin#894: ctime_test: move context randomization test to the end
7d3497c ctime_test: move context randomization test to the end
99a1cfe print warnings for conditional-uninitialized
3d2cf6c initialize variable in tests
f329bba build: Add workaround for automake 1.13 and older
24d1656 Merge bitcoin#882: Use bit ops instead of int mult for constant-time logic in gej_add_ge
e491d06 Use bit ops instead of int mult for constant-time logic in gej_add_ge
f8c0b57 Merge bitcoin#864: Add support for Cirrus CI
cc2a545 ci: Refactor Nix shell files
2480e55 ci: Remove support for Travis CI
2b359f1 ci: Enable simple cache for brewing valgrind on macOS
8c02e46 ci: Add support for Cirrus CI
659d0d4 Merge bitcoin#880: Add parens around ROUND_TO_ALIGN's parameter.
b6f6498 Add parens around ROUND_TO_ALIGN's parameter. This makes the macro robust against a hypothetical ROUND_TO_ALIGN(foo ? sizeA : size B) invocation.
a4abaab Merge bitcoin#877: Add missing secp256k1_ge_set_gej_var decl.
5671e5f Merge bitcoin#874: Remove underscores from header defs.
db72678 Merge bitcoin#878: Remove unused secp256k1_fe_inv_all_var
b732701 Merge bitcoin#875: Avoid casting (void**) values.
75d2ae1 Remove unused secp256k1_fe_inv_all_var
482e4a9 Add missing secp256k1_ge_set_gej_var decl.
2730618 Avoid casting (void**) values. Replaced with an expression that only casts (void*) values.
fb390c5 Remove underscores from header defs. This makes them consistent with other files and avoids reserved identifiers.
f2d9aea Merge bitcoin#862: Autoconf improvements
328aaef Merge bitcoin#845: Extract the secret key from a keypair
3c15130 Improve CC_FOR_BUILD detection
47802a4 Restructure and tidy configure.ac
252c19d Ask brew for valgrind include path
8c727b9 Merge bitcoin#860: fixed trivial typo
b7bc3a4 fixed typo
33cb3c2 Add secret key extraction from keypair to constant time tests
36d9dc1 Add seckey extraction from keypair to the extrakeys tests
fc96aa7 Add a function to extract the secretkey from a keypair
98dac87 Merge bitcoin#858: Fix insecure links
07aa4c7 Fix insecure links
b61f9da Merge bitcoin#857: docs: fix simple typo, dependecy -> dependency
18aadf9 docs: fix simple typo, dependecy -> dependency
2d9e717 Merge bitcoin#852: Add sage script for generating scalar_split_lambda constants
dc6e5c3 Merge bitcoin#854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
6e85d67 Rename tweak to tweak32 in public API
f587f04 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
329a2e0 sage: Add script for generating scalar_split_lambda constants
8f0c6f1 Merge bitcoin#851: make test count iteration configurable by environment variable
f4fa8d2 forbid a test iteration of 0 or less
f554dfc sage: Reorganize files
3a10696 Merge bitcoin#849: Convert Sage code to Python 3 (as used by Sage >= 9)
13c88ef Convert Sage code to Python 3 (as used by Sage >= 9)
0ce4554 make test count iteration configurable by environment variable
9e5939d Merge bitcoin#835: Don't use reserved identifiers memczero and benchmark_verify_t
d0a83f7 Merge bitcoin#839: Prevent arithmetic on NULL pointer if the scratch space is too small
903b16a Merge bitcoin#840: Return NULL early in context_preallocated_create if flags invalid
1f4dd03 Typedef (u)int128_t only when they're not provided by the compiler
ebfa205 Return NULL early in context_preallocated_create if flags invalid
29a299e Run the undefined behaviour sanitizer on Travis
7506e06 Prevent arithmetic on NULL pointer if the scratch space is too small
e89278f Don't use reserved identifiers memczero and benchmark_verify_t

git-subtree-dir: src/secp256k1
git-subtree-split: efad350

Author: sipa

.cirrus.yml

@@ -0,0 +1,198 @@
+env:
+  WIDEMUL: auto
+  STATICPRECOMPUTATION: yes
+  ECMULTGENPRECISION: auto
+  ASM: no
+  BUILD: check
+  WITH_VALGRIND: yes
+  RUN_VALGRIND: no
+  EXTRAFLAGS:
+  HOST:
+  ECDH: no
+  RECOVERY: no
+  SCHNORRSIG: no
+  EXPERIMENTAL: no
+  CTIMETEST: yes
+  BENCH: yes
+  ITERS: 2
+  MAKEFLAGS: -j2
+
+cat_logs_snippet: &CAT_LOGS
+  always:
+    cat_tests_log_script:
+      - cat tests.log || true
+    cat_exhaustive_tests_log_script:
+      - cat exhaustive_tests.log || true
+    cat_valgrind_ctime_test_log_script:
+      - cat valgrind_ctime_test.log || true
+    cat_bench_log_script:
+      - cat bench.log || true
+  on_failure:
+    cat_config_log_script:
+      - cat config.log || true
+    cat_test_env_script:
+      - cat test_env.log || true
+    cat_ci_env_script:
+      - env
+
+merge_base_script_snippet: &MERGE_BASE
+  merge_base_script:
+    - if [ "$CIRRUS_PR" = "" ]; then exit 0; fi
+    - git fetch $CIRRUS_REPO_CLONE_URL $CIRRUS_BASE_BRANCH
+    - git config --global user.email "[email protected]"
+    - git config --global user.name "ci"
+    - git merge FETCH_HEAD  # Merge base to detect silent merge conflicts
+
+task:
+  name: "x86_64: Linux (Debian stable)"
+  container:
+    dockerfile: ci/linux-debian.Dockerfile
+    # Reduce number of CPUs to be able to do more builds in parallel.
+    cpu: 1
+    # More than enough for our scripts.
+    memory: 1G
+  matrix: &ENV_MATRIX
+    - env: {WIDEMUL:  int64,  RECOVERY: yes}
+    - env: {WIDEMUL:  int64,                 ECDH: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes}
+    - env: {WIDEMUL: int128}
+    - env: {WIDEMUL: int128,  RECOVERY: yes,            EXPERIMENTAL: yes, SCHNORRSIG: yes}
+    - env: {WIDEMUL: int128,                 ECDH: yes, EXPERIMENTAL: yes, SCHNORRSIG: yes}
+    - env: {WIDEMUL: int128,  ASM: x86_64}
+    - env: {                  RECOVERY: yes,            EXPERIMENTAL: yes, SCHNORRSIG: yes}
+    - env: {                  STATICPRECOMPUTATION: no}
+    - env: {BUILD: distcheck, WITH_VALGRIND: no, CTIMETEST: no, BENCH: no}
+    - env: {CPPFLAGS: -DDETERMINISTIC}
+    - env: {CFLAGS: -O0, CTIMETEST: no}
+    - env:
+        CFLAGS:  "-fsanitize=undefined -fno-omit-frame-pointer"
+        LDFLAGS: "-fsanitize=undefined -fno-omit-frame-pointer"
+        UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1"
+        ASM: x86_64
+        ECDH: yes
+        RECOVERY: yes
+        EXPERIMENTAL: yes
+        SCHNORRSIG: yes
+        CTIMETEST: no
+    - env: { ECMULTGENPRECISION: 2 }
+    - env: { ECMULTGENPRECISION: 8 }
+    - env:
+        RUN_VALGRIND: yes
+        ASM: x86_64
+        ECDH: yes
+        RECOVERY: yes
+        EXPERIMENTAL: yes
+        SCHNORRSIG: yes
+        EXTRAFLAGS: "--disable-openssl-tests"
+        BUILD:
+  matrix:
+    - env:
+        CC: gcc
+    - env:
+        CC: clang
+  << : *MERGE_BASE
+  test_script:
+    - ./ci/cirrus.sh
+  << : *CAT_LOGS
+
+task:
+  name: "i686: Linux (Debian stable)"
+  container:
+    dockerfile: ci/linux-debian.Dockerfile
+    cpu: 1
+    memory: 1G
+  env:
+    HOST: i686-linux-gnu
+    ECDH: yes
+    RECOVERY: yes
+    EXPERIMENTAL: yes
+    SCHNORRSIG: yes
+  matrix:
+    - env:
+        CC: i686-linux-gnu-gcc
+    - env:
+        CC: clang --target=i686-pc-linux-gnu -isystem /usr/i686-linux-gnu/include
+  test_script:
+    - ./ci/cirrus.sh
+  << : *CAT_LOGS
+
+task:
+  name: "x86_64: macOS Catalina"
+  macos_instance:
+    image: catalina-base
+  env:
+    HOMEBREW_NO_AUTO_UPDATE: 1
+    HOMEBREW_NO_INSTALL_CLEANUP: 1
+    # Cirrus gives us a fixed number of 12 virtual CPUs. Not that we even have that many jobs at the moment...
+    MAKEFLAGS: -j13
+  matrix:
+    << : *ENV_MATRIX
+  matrix:
+    - env:
+        CC: gcc-9
+    - env:
+        CC: clang
+  # Update Command Line Tools
+  # Uncomment this if the Command Line Tools on the CirrusCI macOS image are too old to brew valgrind.
+  # See https://apple.stackexchange.com/a/195963 for the implementation.
+  ## update_clt_script:
+  ##   - system_profiler SPSoftwareDataType
+  ##   - touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
+  ##   - |-
+  ##     PROD=$(softwareupdate -l | grep "*.*Command Line" | tail -n 1 | awk -F"*" '{print $2}' | sed -e 's/^ *//' | sed 's/Label: //g' | tr -d '\n')
+  ##   # For debugging
+  ##   - softwareupdate -l && echo "PROD: $PROD"
+  ##   - softwareupdate -i "$PROD" --verbose
+  ##   - rm /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
+  ##
+  brew_valgrind_pre_script:
+    - brew config
+    - brew tap --shallow LouisBrunner/valgrind
+    # Fetch valgrind source but don't build it yet.
+    - brew fetch --HEAD LouisBrunner/valgrind/valgrind
+  brew_valgrind_cache:
+    # This is $(brew --cellar valgrind) but command substition does not work here.
+    folder: /usr/local/Cellar/valgrind
+    # Rebuild cache if ...
+    fingerprint_script:
+      # ... macOS version changes:
+      - sw_vers
+      # ... brew changes:
+      - brew config
+      # ... valgrind changes:
+      - git -C "$(brew --cache)/valgrind--git" rev-parse HEAD
+    populate_script:
+      # If there's no hit in the cache, build and install valgrind.
+      - brew install --HEAD LouisBrunner/valgrind/valgrind
+  brew_valgrind_post_script:
+    # If we have restored valgrind from the cache, tell brew to create symlink to the PATH.
+    # If we haven't restored from cached (and just run brew install), this is a no-op.
+    - brew link valgrind
+  brew_script:
+    - brew install automake libtool gcc@9
+  << : *MERGE_BASE
+  test_script:
+    - ./ci/cirrus.sh
+  << : *CAT_LOGS
+
+task:
+  name: "s390x (big-endian): Linux (Debian stable, QEMU)"
+  container:
+    dockerfile: ci/linux-debian.Dockerfile
+    cpu: 1
+    memory: 1G
+  env:
+    QEMU_CMD: qemu-s390x
+    HOST: s390x-linux-gnu
+    BUILD:
+    WITH_VALGRIND: no
+    ECDH: yes
+    RECOVERY: yes
+    EXPERIMENTAL: yes
+    SCHNORRSIG: yes
+    CTIMETEST: no
+  << : *MERGE_BASE
+  test_script:
+    # https://sourceware.org/bugzilla/show_bug.cgi?id=27008
+    - rm /etc/ld.so.cache
+    - ./ci/cirrus.sh
+  << : *CAT_LOGS

.travis.yml

@@ -14,8 +14,6 @@ noinst_HEADERS += src/scalar_8x32_impl.h
 noinst_HEADERS += src/scalar_low_impl.h
 noinst_HEADERS += src/group.h
 noinst_HEADERS += src/group_impl.h
-noinst_HEADERS += src/num_gmp.h
-noinst_HEADERS += src/num_gmp_impl.h
 noinst_HEADERS += src/ecdsa.h
 noinst_HEADERS += src/ecdsa_impl.h
 noinst_HEADERS += src/eckey.h
@@ -26,14 +24,16 @@ noinst_HEADERS += src/ecmult_const.h
 noinst_HEADERS += src/ecmult_const_impl.h
 noinst_HEADERS += src/ecmult_gen.h
 noinst_HEADERS += src/ecmult_gen_impl.h
-noinst_HEADERS += src/num.h
-noinst_HEADERS += src/num_impl.h
 noinst_HEADERS += src/field_10x26.h
 noinst_HEADERS += src/field_10x26_impl.h
 noinst_HEADERS += src/field_5x52.h
 noinst_HEADERS += src/field_5x52_impl.h
 noinst_HEADERS += src/field_5x52_int128_impl.h
 noinst_HEADERS += src/field_5x52_asm_impl.h
+noinst_HEADERS += src/modinv32.h
+noinst_HEADERS += src/modinv32_impl.h
+noinst_HEADERS += src/modinv64.h
+noinst_HEADERS += src/modinv64_impl.h
 noinst_HEADERS += src/assumptions.h
 noinst_HEADERS += src/util.h
 noinst_HEADERS += src/scratch.h

Makefile.am

@@ -1,7 +1,7 @@
 libsecp256k1
 ============
 
-[![Build Status](https://travis-ci.org/bitcoin-core/secp256k1.svg?branch=master)](https://travis-ci.org/bitcoin-core/secp256k1)
+[![Build Status](https://api.cirrus-ci.com/github/bitcoin-core/secp256k1.svg?branch=master)](https://cirrus-ci.com/github/bitcoin-core/secp256k1)
 
 Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.
 
@@ -34,11 +34,11 @@ Implementation details
   * Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
     * Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
     * Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
-  * Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
 * Scalar operations
   * Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
     * Using 4 64-bit limbs (relying on __int128 support in the compiler).
     * Using 8 32-bit limbs.
+* Modular inverses (both field elements and scalars) based on [safegcd](https://gcd.cr.yp.to/index.html) with some modifications, and a variable-time variant (by Peter Dettman).
 * Group operations
   * Point addition formula specifically simplified for the curve equation (y^2 = x^3 + 7).
   * Use addition between points in Jacobian and affine coordinates where possible.

README.md

@@ -1,5 +1,5 @@
 # ===========================================================================
-#   http://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
+#   https://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
 # ===========================================================================
 #
 # SYNOPSIS

build-aux/m4/ax_prog_cc_for_build.m4

@@ -75,15 +75,10 @@ if test x"$has_libcrypto" = x"yes" && test x"$has_openssl_ec" = x; then
 fi
 ])
 
-dnl
-AC_DEFUN([SECP_GMP_CHECK],[
-if test x"$has_gmp" != x"yes"; then
+AC_DEFUN([SECP_VALGRIND_CHECK],[
+if test x"$has_valgrind" != x"yes"; then
   CPPFLAGS_TEMP="$CPPFLAGS"
-  CPPFLAGS="$GMP_CPPFLAGS $CPPFLAGS"
-  LIBS_TEMP="$LIBS"
-  LIBS="$GMP_LIBS $LIBS"
-  AC_CHECK_HEADER(gmp.h,[AC_CHECK_LIB(gmp, __gmpz_init,[has_gmp=yes; GMP_LIBS="$GMP_LIBS -lgmp"; AC_DEFINE(HAVE_LIBGMP,1,[Define this symbol if libgmp is installed])])])
-  CPPFLAGS="$CPPFLAGS_TEMP"
-  LIBS="$LIBS_TEMP"
+  CPPFLAGS="$VALGRIND_CPPFLAGS $CPPFLAGS"
+  AC_CHECK_HEADER([valgrind/memcheck.h], [has_valgrind=yes; AC_DEFINE(HAVE_VALGRIND,1,[Define this symbol if valgrind is installed])])
 fi
 ])