Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace MuSig(1) module with MuSig2 #131

Merged
merged 3 commits into from
Dec 20, 2021

Conversation

jonasnick
Copy link
Contributor

@jonasnick jonasnick commented May 13, 2021

The main commit comprises 905 insertions(+), 1253 deletions(-). The diff isn't as small as I had hoped, but that's mostly because it was possible to simplify the API quite substantially which required rewriting large parts. Sorry, almost all of the changes are in one big commit which makes the diff very hard to read. Perhaps best to re-review most parts from scratch.

A few key changes:

  • Obviously no commitment round. No big session struct and no verifier sessions. No signer struct.
  • There's a new secnonce struct that is the output of musig_nonce_gen and derived from a uniformly random session_id32. The derivation can be strengthened by adding whatever session parameters (combined_pk, msg) are available. The nonce function is my ad-hoc construction that allows for these optional inputs. Please have a look at that.
  • The secnonce is made invalid after being used in partial_sign.
  • Adaptor signatures basically work as before, according to Add MuSig2 adaptor signatures scriptless-scripts#24 (with the exception that they operate on aggregate instead of partial sigs)
  • To avoid making this PR overly complex I did not consider how this implementation interacts with nested-MuSig, sign-to-contract, and antiklepto.
  • Testing should be close to complete. There's no reachable line or branch that isn't exercised by the tests.
  • In the current implementation when a signer sends an invalid nonce (i.e. some garbage that can't be mapped to a group element), it is ignored when combining nonces. Only after receiving the signers partial signature and running partial_sig_verify will we notice that the signer misbehaved. The reason for this is that 1) this makes the API simpler and 2) malicious peers don't gain any additional powers because they can always interrupt the protocol by refusing to sign. However, this is up for discussion. EDIT: this is not the case anymore since invalid nonces are rejected when they're parsed.
  • For every partial signature we verify we have to parse the pubnonce (two compressed points), despite having parsed it in process_nonces already. This is not great. process_nonces could optionally output the array of parsed pubnonces. EDIT: fixed by having a dedicated type for nonces.
  • I left src/modules/musig/musig.md unchanged for now. Perhaps we should merge it with the musig-spec EDIT: musig.md is updated
  • partial verification should use multiexp to compute R1 + b*R2 + c*P, but this can be done in a separate PR
  • renaming wishlist
    • pre_session -> keyagg_cache (because there is no session anymore)
    • pubkey_combine, nonce_combine, partial_sig_combine -> pubkey_agg, nonce_agg, partial_sig_agg (shorter, matches terminology in musig2)
    • musig_session_init -> musig_start (shorter, simpler) or musig_generate_nonce or musig_prepare
    • musig_partial_signature to musig_partial_sig (shorter)
  • perhaps remove pubnonces and n_pubnonces argument from process_nonces (and then also add a opaque type for the combined nonce?)
  • write the combined_pubkey into the pre_session struct (as suggested below: then 1) session_init and process_nonces don't need a combined_pk argument (and there can't be mix up between tweaked and untweaked keys) and 2) pubkey_tweak doesn't need an input_pubkey and the output_pubkey can be written directly into the pre_session (reducing frustration such as Replace MuSig(1) module with MuSig2 Replace MuSig(1) module with MuSig2 #131 (comment))
  • perhaps allow adapting both partial sigs (partial_sig struct) and aggregate partial sigs (64 raw bytes) as suggested below.

Based on #120.

@jonasnick jonasnick force-pushed the musig2 branch 3 times, most recently from 9532af3 to 2301071 Compare May 15, 2021 21:59
* combined_pk: the combined xonly public key of all signers if already
* known (can be NULL)
* extra_input32: an optional 32-byte array that is input to the nonce
* derivation function (can be NULL)
*/
SECP256K1_API int secp256k1_musig_session_init(
Copy link

@NicolasDorier NicolasDorier Jun 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not well named. Should be secp256k1_musig_generate_nonce.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added suggestion to OP.

Copy link
Contributor Author

@jonasnick jonasnick Jun 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you like my suggestion musig_start (shorter, simpler)?

@NicolasDorier
Copy link

NicolasDorier commented Jun 18, 2021

Question about the API: why secp256k1_musig_process_nonces is separate from secp256k1_musig_partial_sign ?

Is there a situation where the consumer would want to call them separately? if not, can we just merge those two functions together?

@NicolasDorier
Copy link

This line https://github.com/ElementsProject/secp256k1-zkp/blob/fe02ea61437752357351e268c2ed0d782231711b/src/modules/musig/main_impl.h#L155

seems to change the state of the session, even if the tweak add operation fails. I think the line should be moved after the tweak.

@jonasnick
Copy link
Contributor Author

@NicolasDorier

Question about the API: why secp256k1_musig_process_nonces is separate from secp256k1_musig_partial_sign ?

It is separate because

  1. it allows a non-signer to verify partial sigs and adaptor sigs (see session_cache output)
  2. it allows a non-signer to aggregate the partial sigs (see sig_template output)

seems to change the state of the session, even if the tweak add operation fails. I think the line should be moved after the tweak.

If the function fails the output (pre_session) is unspecified anyway but ok I changed this.

int *nonce_parity,
const unsigned char * const* pubnonces,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To make the API easier to understand, I would advice to remove pubnonces and n_pubnonces, and only accept combined_pubnonce.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fair, but then everyone has to call musig_nonces_combine instead of allowing signers without a third-party nonce aggregator to skip this function altogether.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you decide to keep pubnonces here, consider using a strong type

@NicolasDorier
Copy link

NicolasDorier commented Jun 21, 2021

I would advice to make process_nonces only returns a single data structure rather than two separate one.
session_cache is used for partial_sign/verify and sig_template is used for partial_sig_combine.

But since those are:

  • opaque data structure for the user,
  • there is no parsing functions related to this,
  • They are both created by process_nonces

It does not make sense for the user of the API to manipulate them as different objects.

@NicolasDorier
Copy link

@NicolasDorier
Copy link

NicolasDorier commented Jun 21, 2021

Since partial_sign and process_nonces always need pre_session to sign, and that pre_session can't be serialized,
I think the type pre_session should be removed, and process_nonces/partial_sign just accept the pubkeys.

My guess is that you are doing this for performance reason.
But if you do, since partial_sign need process_nonces to be called before, you could just add the data from pre_session in the new data structure I suggest in #131 (comment)

By doing what I suggest sig_template, session_cache and pre_session would be replaced by a single opaque type processed_nonces.

@NicolasDorier
Copy link

I am creating some dependency graph before/after to better explain how I would refactor the API. I may be missing something.

@NicolasDorier
Copy link

NicolasDorier commented Jun 21, 2021

Trying to make sense of the API here is what exist now in term of dependencies:

musig-before

Here is what I suggest:

musig

Notably, I tried to remove sig_template, session_cache and pre_session behind an opaque processed_nonces.
And removed the need to call pubkey_combine, by making process_nonce accept pubkeys directly.
Then process_nonce only accept the combined nonce.

@NicolasDorier
Copy link

@jonasnick
Copy link
Contributor Author

Thanks again for having a detailed look @NicolasDorier.

I would advice to make process_nonces only returns a single data structure rather than two separate one.

This is a fair suggestion. I don't remember the specific reason why I did this. Perhaps has to do with extensibility.

there is no parsing functions related to this,

We will likely add them though.

musig_session_init doesn't use pre_session.

Thanks, fixed.

My guess is that you are doing this for performance reason.

Indeed. Unless I'm missing something, if you remove the pre_session as you suggest, then entities who need to both get the aggregate key and need to call process_nonces are required to compute the aggregate key twice.

I am creating some dependency graph

That looks very helpful!

I would checking that it does not overflow.

What do you suggest doing exactly?

@NicolasDorier
Copy link

NicolasDorier commented Jun 22, 2021

I would checking that it does not overflow.

In several place in the code, you actively check if the scalar of the partial signature is overflowing.
I think you can remove those branches by just checking if the scalar is overflowing when signature is getting parsed, such that overflow partial sigs can't even be parsed. (especially that the parse function return a int to indicate parsing result already)

Indeed. Unless I'm missing something, if you remove the pre_session as you suggest, then entities who need to both get the aggregate key and need to call process_nonces are required to compute the aggregate key twice.

The only case I think it is useful, is when you got all the partial signatures, combined them, and verify the combined schnorr sig against the combined pubkey.

But if this is the case, it means you already called process_nonces before. So you could just add the combined pubkey in the output data structure of process_nonces (the processed_nonces in the second graph).

I see that also the pre_session is used to add tweak. I don't really understand the purpose of it, so maybe it would prevent getting rid of pre_session...

@real-or-random
Copy link
Collaborator

I would checking that it does not overflow.

In several place in the code, you actively check if the scalar of the partial signature is overflowing.
I think you can remove those branches by just checking if the scalar is overflowing when signature is getting parsed, such that overflow partial sigs can't even be parsed. (especially that the parse function return a int to indicate parsing result already)

I think the question is whether we need the parse/serialize at all. Our philosophy when writing BIP340 and implementing was to consider signatures simply as fixed-sized byte arrays. Could we do this here? On the other hand, having types makes sure the user can't mess up things so easily, and there are a lot of data structures here.

@NicolasDorier
Copy link

NicolasDorier commented Jun 22, 2021

@real-or-random I think this is nice to have strong type. Crypto library are already complicated enough for users, that it is better to have strong type so they have better idea on how things are tied up.

But I think it would be even better if the parse function was doing some safety check.
That said, thinking about it, in C there is no way to prevent somebody to pass an uninitialized multi sig to the function, so I may be wrong and the function should still do some check when converting to scalar.

Maybe using some magic value, but I don't know how willing you are to do it, since nothing is really doing it yet. And still then, would need to check it. :(

@real-or-random
Copy link
Collaborator

real-or-random commented Jun 22, 2021

@real-or-random I think this is nice to have strong type. Crypto library are already complicated enough for users, that it is better to have strong type so they have better idea on how things are tied up.

Yep, I think that makes sense.

But I think it would be even better if the parse function was doing some safety check.

But the scalar overflow check is not a safety check. Now we have two places where we have checks, parse and verify. I think it's much simpler to have them all in one place.

On the other hand all our other parse functions do some basic checks.

That said, thinking about it, in C there is no way to prevent somebody to pass an uninitialized multi sig to the function, so I may be wrong and the function should still do some check when converting to scalar.

Maybe using some magic value, but I don't know how willing you are to do it, since nothing is really doing it yet. And still then, would need to check it. :(

Hm, we have magic values in the scratch space API... What types do you have in mind concretely?

@NicolasDorier
Copy link

NicolasDorier commented Jun 22, 2021

@real-or-random musig_partial_sig. My intention was to prevent the creation of an invalid object early (in the parse) so we don't have to check the overflow in the code later on.

But that's not possible since the user might screw up by passing uninitialized object anyway, so the check in the code is still necessary. The magic would prevent this, but then you'd have to check the magic flag rather than the overflow, which is just moving the problem.

It's still nice to have the check in the parse if some other classes are doing it. Not big deal, if you don't though.

@jonasnick
Copy link
Contributor Author

jonasnick commented Jun 22, 2021

In several place in the code, you actively check if the scalar of the partial signature is overflowing.
I think you can remove those branches by just checking if the scalar is overflowing when signature is getting parsed, such that overflow partial sigs can't even be parsed. (especially that the parse function return a int to indicate parsing result already)

@NicolasDorier Ah I see what you mean now. Agree that it's fine either way.

I think the question is whether we need the parse/serialize at all.

@real-or-random The reasoning in the BIP340 implementation is that after creating the signature, you aren't really able to do anything but serializing and verifying it. But with partial_sigs you can do more: verify, combine, adapt and (adaptor-) extract.

The only case I think it is useful, is when you got all the partial signatures, combined them, and verify the combined schnorr sig against the combined pubkey.
But if this is the case, it means you already called process_nonces before. So you could just add the combined pubkey in the output data structure of process_nonces (the processed_nonces in the second graph).

@NicolasDorier There are other scenarios. Perhaps you already computed the aggregate pubkey because you created an output, and only later design to sign? Also, we want to make it easy to compute the aggregate pubkey (if available) to feed it into session_init as defense in depth against session_id reuse.

I see that also the pre_session is used to add tweak. I don't really understand the purpose of it, so maybe it would prevent getting rid of pre_session...

In theory, we could add a tweak argument to process nonces (and then remove musig_pubkey_tweak_add altogether) but it has the downside mentioned above.

Copy link
Contributor

@robot-dreams robot-dreams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 7ad1220 based on 3 latest fixup commits

src/modules/musig/session_impl.h Outdated Show resolved Hide resolved
Copy link
Contributor

@robot-dreams robot-dreams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rechecked tests_impl.h and test vectors as well, still looks good.

Another public API question: right now secp256k1_musig_adapt takes sig64 as both an input and an output. However in working with the tests/examples, it felt a little bit awkward to keep track of pre_sig vs. sig without making mistakes.

What are your thoughts on changing the API to this:

int secp256k1_musig_adapt(
    const secp256k1_context* ctx,
    unsigned char *sig64,
    const unsigned char *pre_sig64,
    const unsigned char *sec_adaptor32,
    int nonce_parity
)

Feel free to respond to that (as well as the comment in #131 (review) about nonce_process vs. nonce_finalize) in a later PR. I'm only commenting now in case the public API becomes much harder to change after this PR is merged.

src/modules/musig/tests_impl.h Show resolved Hide resolved
src/modules/musig/tests_impl.h Show resolved Hide resolved
@jonasnick
Copy link
Contributor Author

@robot-dreams

should musig_nonce_process be renamed to musig_nonce_finalize since it's supposed to create a final nonce?

The user may not know that they need to create a finalized nonce and the finalized nonce isn't output of the function. But they want to know what to do with the received nonce (process). Either way is probably fine but I slightly prefer nonce_process.

What are your thoughts on changing the API to this:

I probably went back and forth on this a couple of times and I can't remember my reasoning anymore. Note that in the real world (outside of tests I mean) you don't need to keep track of the pre_sig after it is adapted. I checked the WIP rust bindings and noticed that they clone the pre_sig as well which is awkward indeed. So I changed this to your suggestion.

Copy link
Contributor

@robot-dreams robot-dreams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 73059c8 hopefully final? 🤞

Thanks for considering the API updates! I agree with your reasoning about nonce_process and I think keeping it as-is makes sense.

CHECK(ecount == 3);
CHECK(secp256k1_musig_adapt(none, final_sig, pre_sig, sec_adaptor, 2) == 0);
CHECK(ecount == 4);
/* sig and pre_sig argument point to the same location */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So much for const 🤣

Copy link
Collaborator

@real-or-random real-or-random Dec 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well yeah, const in a function sig is just a promise not to write through that pointer. And we keep that promise.

On a more serious note, I think now we should document in the API docs that sig and pre_sig may overlap/alias.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a more serious note, I think now we should document in the API docs that sig and pre_sig may overlap/alias.

This part is still unresolved (if you agree).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added your suggested sentence

Copy link
Collaborator

@real-or-random real-or-random left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK mod nits :))

I think this is ready to squash then.

src/modules/musig/tests_impl.h Outdated Show resolved Hide resolved
src/modules/musig/session_impl.h Outdated Show resolved Hide resolved
src/modules/musig/session_impl.h Show resolved Hide resolved
src/modules/musig/Makefile.am.include Outdated Show resolved Hide resolved
@real-or-random
Copy link
Collaborator

Link to unresolved discussion that may not be shown by stupid GitHub: #131 (comment)

Before turning it on we need to have a discussion about our confidence in the
correctness of the multiexponentiation code.
@jonasnick
Copy link
Contributor Author

Ok, I squashed the fixup commits.

To the people who are already depending on this PR in some way (@NicolasDorier, @GeneFerneau, ...):

  • There were no security issues that we discovered and had to fix.
  • I've pushed a "half-squashed" version to this branch that makes it easy to see what exactly the API and "spec" changes that affected the static test vectors were.

Copy link
Collaborator

@real-or-random real-or-random left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK ac1e367

@robot-dreams
Copy link
Contributor

ACK ac1e367

@real-or-random real-or-random merged commit b220661 into BlockstreamResearch:master Dec 20, 2021
@jonasnick
Copy link
Contributor Author

Just noticed that I had an API design FAQ in my notes. Posting that here for better discoverability:

  • Couldn't we merge the secnonce struct into the session struct?
    • We could, but we don't because the session struct can be serialized in principle. On the other hand, we want to avoid serializing the secnonce.
  • Couldn't we we copy the keyagg cache into the session struct to avoid having to deal with both?
    • When signing multiple times with the same key (and therefore the same keyagg) we'd have the same keyagg cache copied in all the sessions which is wasteful.
  • Couldn't we remove the tweak function and instead add a tweak argument to keyagg?
    • In that case, if you'd want to use a different key you'd have to reaggregate the keys which is costly.

@LLFourn
Copy link

LLFourn commented Jan 12, 2022

Post-merge ACK.

The implementation was really good (so is the paper!). Thanks. I've done a rust implementation in secp256kfun. I tried to do it without looking at this too much. It's compatible though (passes the signing tests here). Here's a few notes.

One minor difference between the two is when the aggregate nonce is 0 I just return None when trying to start the signing session. Here you set it to G so the session can continue. I felt that it'd be better just to let the caller decide what should happen in this odd case. Having an easy way of continuing is a good idea though.

Just noticed that I had an API design FAQ in my notes. Posting that here for better discoverability:

* Couldn't we merge the secnonce struct into the session struct?
  
  * We could, but we don't because the session struct can be serialized in principle. On the other hand, we want to avoid serializing the secnonce.

I ended up just serializing the secret nonces along with the signing session. In the case where you are serializing and storing the secret nonces anyway, it might as well go along with the session.

But come to think of it maybe this is the wrong headed. Since you don't need the secnonce to verify an easy mistake to make is to keep nonces around unnecessarily after you've already signed. Maybe I need a way of clearing secret data once it's been used...

A minor nit I had with this impl was:

            pk_hash: H::default().tagged(b"KeyAgg list"),
            coeff_hash: H::default().tagged(b"KeyAgg coefficient"),
            nonce_coeff_hash: H::default().tagged(b"MuSig/noncecoef"),

The tag names are a bit inconsistent. Perhaps come up with a proper naming convention? I like <protocol>/<use>.

A nano-nit was that the order of the agg nonces in the hashing to get b changed from the paper to the implementation (in the paper the X goes first).

@jonasnick
Copy link
Contributor Author

Thanks for the feedback @LLFourn! And great to see more implementations. By the way, did you notice our on-going work on the spec (#157)?

One minor difference between the two is when the aggregate nonce is 0 I just return None when trying to start the signing session.

How does the caller typically proceed in this case? Do you also support signing for aggregate nonce None (= infinity)?

In the case where you are serializing and storing the secret nonces anyway, it might as well go along with the session.

Right, but the converse is not true. You could imagine that a signer immediately signs, throws away the secnonces and keeps the session to be able to verify and aggregate partial sigs.

The tag names are a bit inconsistent. Perhaps come up with a proper naming convention? I like /.

Agree that this is not nice. Would be mostly remedied imo by simply replacing the space with "/".

@LLFourn
Copy link

LLFourn commented Jan 13, 2022

Thanks for the feedback @LLFourn! And great to see more implementations. By the way, did you notice our on-going work on the spec (#157)?

Yes. Is this going to become a full spec (not just key agg). If so I'll move further comments over there!

One minor difference between the two is when the aggregate nonce is 0 I just return None when trying to start the signing session.

How does the caller typically proceed in this case? Do you also support signing for aggregate nonce None (= infinity)?

At the moment you can't proceed. Perhaps a better thing to do is to return a dud session (like you do here) but indicate it to the caller that this happened. In the case of a 2-of-2 it should be obvious whose at fault for example!

In the case where you are serializing and storing the secret nonces anyway, it might as well go along with the session.

Right, but the converse is not true. You could imagine that a signer immediately signs, throws away the secnonces and keeps the session to be able to verify and aggregate partial sigs.

Yeah I think the way I've done it is wrong. I imagine two scenarios:

  1. You are the one collecting the signatures in which case you don't sign until you've got all the others (or maybe you don't sign at all until some later condition e.g. lightning commit tx). So here you just want a secret free session.
  2. You sign with the session right away, in which case you should clear all secret data once you have your sig.

In any case you never really want the secrets in the session :)

@real-or-random
Copy link
Collaborator

Thanks for the review and the comments!

At the moment you can't proceed. Perhaps a better thing to do is to return a dud session (like you do here) but indicate it to the caller that this happened. In the case of a 2-of-2 it should be obvious whose at fault for example!

The reason why we don't abort is that you need the second round to tell who's to blame. (I assume you're aware of this point because you mention the 2-of-2 as an exception to this observation.)

My argument for not indicating the failure early (if you continue the sessions) is that the resulting API is simpler. The cost of indicating the failure is one more return value to check (= branch) for the caller, and I believe the gain is literally zero: A disruptive signer is anyway able to force you to do move on to the second round (and then send a wrong signature, or just nothing). Also, this "soft" failure is difficult to explain to users, and they won't know what to do if the first round fails. (Abort? Not abort? Print a warning?)

The tag names are a bit inconsistent. Perhaps come up with a proper naming convention? I like /.

I like that, too but practically speaking, it's easier to change the nonce function, so maybe " " is better than "/". Who knows who's using the code already. Plus, the MuSig1 code that got replaced also used "KeyAgg list" and "KeyAgg coefficient".

A nano-nit was that the order of the agg nonces in the hashing to get b changed from the paper to the implementation (in the paper the X goes first).

I had complained about this, too. But Jonas convinced me that it makes sense to put the agg nonces first: When you compute this hash, the agg nonces are always determined, whereas the public key may not be determined. We're pretty sure it's okay to use MuSig2 in a multi-key setting where you exchange nonces without knowing for which public key you want to sign. We haven't formalized the security of this variant in the paper because it adds complexity to the EUF-CMA game (= we were too lazy to do it).

@robot-dreams
Copy link
Contributor

We haven't formalized the security of this variant

But intuitively it's OK because b depends on the aggregate public key, right?

(Same reason why it's OK to exchange nonces without knowing the message, and this attack no longer works?)

@real-or-random
Copy link
Collaborator

real-or-random commented Jan 13, 2022

Yes, indeed.

If you want a tight reduction, you'd probably modify our reduction as follows. Instead of receiving a single challenge from OMDL, receive many and sell them to the attacker as pubkeys X_1, ... X_k for some polynomial k in lambda. Then if the attacker forges under one of these pks, say X_i, you extract the DL of X_i. For all X_j with j !=i, you simply give them back by asking the DL oracle. Then you have the DLs of all challenges. Also observe that the reduction doesn't use the aggregate public key ~X when simulating first-round signing queries. (This is not immediately implied by the syntax of multisig schemes as defined in the paper. The honest first-round algorithm cannot possibly make use of ~X as it does not receive it as input. But any reduction knows ~X upfront, so it could make use of it. But ours doesn't.)

hint: You could alternatively exploit the "random self-reducibility" of (OM)DL: Receive a single challenge C from OMDL and convert it to polynomially many random looking pubkeys X_i = C^d_i for random factors d_i. Idea: if the attacker forges under one of these pks, say X_i, you extract the DL of X_i and raise it to 1/d_i to obtain the DL of C. This is a standard method for pure DL proofs. But here you don't need it as the ability to have many target group elements is "built-in" in the stronger OMDL already.

real-or-random added a commit that referenced this pull request Jan 25, 2022
8088edd musig: add test vector for ordinary (non xonly) tweaking (Elliott Jin)
57a1792 musig: add ordinary and xonly tweaking to the example (Jonas Nick)
3710736 musig: allow ordinary, non-xonly tweaking (Jonas Nick)
c519b46 musig: add pubkey_get to obtain a full pubkey from a keyagg_cache (Jonas Nick)

Pull request description:

  In short, `musig_pubkey_tweak_add` now allows for xonly _and_ "ordinary" tweaking. Also, in order to allow using `ec_pubkey_tweak_add` on the non-xonly aggregate public key, there's a new function `musig_pubkey_get` that allows obtaining it from the `keyagg_cache`.

  One alternative would be that instead of adding `musig_pubkey_get`, we could change `pubkey_agg` to output an ordinary (non-xonly) pubkey. Then users of the API who do not need ordinary (BIP32) tweaking would be forced to call `xonly_pubkey_from_pubkey`. And we'd probably want to change the spec. And it would be a bit weird to output a pubkey that can't be directly schnorrsig_verify'd.

  Based on #131

ACKs for top commit:
  robot-dreams:
    ACK 8088edd based on #151 (comment) and the following `range-diff`:

Tree-SHA512: a4a0100f0470c870f88a8da27dbcc4684fcc2caabb368d4340e962e08d5ee04634e6289bafa3448dbfd0b5793a3e70de5bd6ddca7a619cc3220ff762d518a8fe
secp256k1_ge aggnonce[2];

secp256k1_ge_set_gej(&aggnonce[0], &aggnoncej[0]);
secp256k1_ge_set_gej(&aggnonce[1], &aggnoncej[1]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that the function secp256k1_musig_nonce_process already has computed the secp256k1_ge values for aggnonce, it might be worth passing them directly to the _internal function instead of computing them again.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. The [0] value may have changed though when there's an aggregator. But we could still pass the ge values to _internal. Do you want to open a PR?

gwillen added a commit to gwillen/elements that referenced this pull request May 25, 2022
7a30cb0c9d Merge BlockstreamResearch/secp256k1-zkp#187: musig-spec: remove it from this repo
cc07b8f7a9 musig-spec: remove it
c1640b7049 Merge BlockstreamResearch/secp256k1-zkp#166: musig-spec: Add naive Python reference implementation
c235e5055f musig-spec: Add naive Python reference implementation
d45fbdcfad Merge BlockstreamResearch/secp256k1-zkp#180: musig: add test vectors for applying multiple tweaks
9a814bea32 Merge BlockstreamResearch/secp256k1-zkp#186: musig-spec: Minor cleanup
67247e53af musig-spec: More minor cleanup
9a1645f0ef Merge BlockstreamResearch/secp256k1-zkp#184: musig-spec: minor fixups
bf615193ce musig-spec: minor fixups
ebd10f210b Merge BlockstreamResearch/secp256k1-zkp#185: musig-spec: Clarify negation for signing and verification
0940575215 musig-spec: Clarify negation for signing and verification
18a35ec1af Merge BlockstreamResearch/secp256k1-zkp#183: Improve writing in Signing flow
1b292cdb52 Improve writing in Signing flow
a86bfa991a Merge BlockstreamResearch/secp256k1-zkp#181: musig-spec: clarify hashing in noncegen by converting ints to bytes
4469cad42f Merge BlockstreamResearch/secp256k1-zkp#182: musig-spec: address robot-dreams' comments
b7f8ea2f2a musig-spec: address robot-dreams' comments
376733b58b musig-spec: clarify hashing in noncegen by converting ints to bytes
510b61a803 musig: add test vectors for applying multiple tweaks
ac477d5148 Merge BlockstreamResearch/secp256k1-zkp#179: musig-spec: Improve writing in Motivation, Design
d903c09fd2 musig-spec: Improve writing in Motivation, Design
1d0d60d9eb Merge BlockstreamResearch/secp256k1-zkp#178: musig-spec: expand on signing flow
fd51a6281e musig-spec: add authors
f56e223a7a musig-spec: explain NonceGen and tweaking in signing flow context
e463ea42bb musig-spec: mention stateless signing in signing flow
a29b961eb7 musig-spec: add acknowledgements and improve abstract
1a086ba9c9 musig-spec: add optional arguments to strengthen nonce function
8d04ac318f musig-spec: remove unnecessary and inconsistent input paragraph
6c0aecf72b Merge BlockstreamResearch/secp256k1-zkp#174: Upstream PRs 1064, 1049, 899, 1068, 1072, 1069, 1074, 1026, 1033, 748, 1079, 1088, 1090, 731, 1089, 995, 1094, 1093
eafcd04216 Merge BlockstreamResearch/secp256k1-zkp#176: musig-spec: expand on signing flow
c715407b4f musig-spec: fix partial sig verification note in intro
11fb8a664b musig-spec: expand on signing flow
43c853fa28 Merge BlockstreamResearch/secp256k1-zkp#173: musig-spec: Add motivation and design sections
3deaa006a0 Merge BlockstreamResearch/secp256k1-zkp#175: configure: Check compile+link when checking existence of functions
79472c7ee5 configure: Check compile+link when checking existence of functions
645d9c53c4 examples: let musig use random.h instead of /dev/urandom
eccba5b4e5 examples: relicense musig example to CC0 public domain
802b7daf23 musig-spec: add motivation and design sections
7c5af740fa ci: fix missing EXPERIMENTAL flags
03bea1e173 configure: add -zkp modules to dev-mode and remove redundant code
2adb741c45 examples: rename example_musig to musig_example for consistency
8298c0c79b Merge commits 'c8aa516b 0a40a486 d8a24632 85b00a1c 59547943 5dcc6f8d 07752831 3ef94aa5 1253a277 64b34979 ac83be33 0e5cbd01 e0508ee9 587239db 1ac7e31c d0ad5814 912b7ccc 8746600e ' into temp-merge-1093
8746600eec Merge bitcoin-core/secp256k1#1093: hash: Make code agnostic of endianness
686d96222d musig-spec: various cleanups
ef537b2065 musig-spec: fix unnecessary O(n^2) KeyAgg runtime
37d36927df tests: Add tests for _read_be32 and _write_be32
912b7ccc44 Merge bitcoin-core/secp256k1#1094: doc: Clarify configure flags for optional modules
55512d30b7 doc: clean up module help text in configure.ac
d9d94a9969 doc: mention optional modules in README
616b43dd3b util: Remove endianness detection
8d89b9e6e5 hash: Make code agnostic of endianness
d0ad5814a5 Merge bitcoin-core/secp256k1#995: build: stop treating schnorrsig, extrakeys modules as experimental
1ac7e31c5b Merge bitcoin-core/secp256k1#1089: Schnorrsig API improvements
587239dbe3 Merge bitcoin-core/secp256k1#731: Change SHA256 byte counter from size_t to uint64_t
f8d9174357 Add SHA256 bit counter tests
d13429e28c Merge BlockstreamResearch/secp256k1-zkp#167: Add ordinary and x-only tweaking to spec and simplify implementation
eac0df1379 musig: mention how keyagg_cache tweak and parity relate to spec
57eb6b4167 musig-spec: move description of secret key negation to spec
633d01add0 musig-spec: add x-only and ordinary tweaking to musig
aee0747e38 musig-spec: add general description of tweaking
fb060a0c4e musig-spec: add Session Context to simplify sign/verify/sigagg
3aec4332b5 musig-spec: move remarks on spec below specification section
628d52c718 musig-spec: fix title/abstract and make algo names bold
5b760cc172 musig-spec: consistently call partial sigs psig
7f09d0f311 README: mention that ARM assembly is experimental
b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs
f813bb0df3 schnorrsig: Adapt example to new API
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate
fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions
3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated
80cf4eea5f build: stop treating schnorrsig, extrakeys modules as experimental
e0508ee9db Merge bitcoin-core/secp256k1#1090: configure: Remove redundant pkg-config code
21b2ebaf74 configure: Remove redundant pkg-config code
0e5cbd01b3 Merge bitcoin-core/secp256k1#1088: configure: Use modern way to set AR
0d253d52e8 configure: Use modern way to set AR
9b514ce1d2 Add test vector for very long SHA256 messages
8e3dde1137 Simplify struct initializer for SHA256 padding
eb28464a8b Change SHA256 byte counter from size_t to uint64_t
ac83be33d0 Merge bitcoin-core/secp256k1#1079: configure: Add hidden --enable-dev-mode to enable all the stuff
e0838d663d configure: Add hidden --enable-dev-mode to enable all the stuff
fabd579dfa configure: Remove redundant code that sets _enable variables
0d4226c051 configure: Use canonical variable prefix _enable consistently
64b34979ed Merge bitcoin-core/secp256k1#748: Add usage examples
7c9502cece Add a copy of the CC0 license to the examples
42e03432e6 Add usage examples to the readme
517644eab1 Optionally compile the examples in autotools, compile+run in travis
422a7cc86a Add a ecdh shared secret example
b0cfbcc143 Add a Schnorr signing and verifying example
fee7d4bf9e Add an ECDSA signing and verifying example
1253a27756 Merge bitcoin-core/secp256k1#1033: Add _fe_half and use in _gej_add_ge and _gej_double
3ef94aa5ba Merge bitcoin-core/secp256k1#1026: ecdh: Add test computing shared_secret=basepoint with random inputs
3531a43b5b ecdh: Make generator_basepoint test depend on global iteration count
c881dd49bd ecdh: Add test computing shared_secret=basepoint with random inputs
077528317d Merge bitcoin-core/secp256k1#1074: ci: Retry brew update a few times to avoid random failures
e51ad3b737 ci: Retry `brew update` a few times to avoid random failures
b1cb969e8a ci: Revert "Attempt to make macOS builds more reliable"
f0edc90755 musig: fix number of tweaks in tweak_test
5dcc6f8dbd Merge bitcoin-core/secp256k1#1069: build: Replace use of deprecated autoconf macro AC_PROG_CC_C89
59547943d6 Merge bitcoin-core/secp256k1#1072: ci: Attempt to make macOS builds more reliable
85b00a1c65 Merge bitcoin-core/secp256k1#1068: sage: Fix incompatibility with sage 9.4
ebb1beea78 sage: Ensure that constraints are always fastfracs
d8d54859ed ci: Run sage prover on CI
77cfa98dbc sage: Normalize sign of polynomial factors in prover
eae75869cf sage: Exit with non-zero status in case of failures
d9396a56da ci: Attempt to make macOS builds more reliable
e0db3f8a25 build: Replace use of deprecated autoconf macro AC_PROG_CC_C89
e848c3799c Update sage files for new formulae
d64bb5d4f3 Add fe_half tests for worst-case inputs
b54d843eac sage: Fix printing of errors
725d895fc5 Merge BlockstreamResearch/secp256k1-zkp#165: musig-spec: improve security argument for handling infinity
4eb8b932ff Further improve doubling formula using fe_half
557b31fac3 Doubling formula using fe_half
2cbb4b1a42 Run more iterations of run_field_misc
9cc5c257ed Add test for secp256k1_fe_half
925f78d55e Add _fe_half and use in _gej_add_ge
e108d0039c sage: Fix incompatibility with sage 9.4
aa1acb4bd1 musig-spec: improve security argument for handling infinity
d8a2463246 Merge bitcoin-core/secp256k1#899: Reduce stratch space needed by ecmult_strauss_wnaf.
73f0cbd3cc Merge BlockstreamResearch/secp256k1-zkp#157: Add description of MuSig signing to musig-spec.md
8fd97d8116 Merge BlockstreamResearch/secp256k1-zkp#158: Small musig improvements
772df3694e Merge BlockstreamResearch/secp256k1-zkp#151: MuSig: Add Minimal Compatibility with BIP32 Tweaking
0a40a4861a Merge bitcoin-core/secp256k1#1049: Faster fixed-input ecmult tests
69b392f3cb musig: move explanation for aggnonce=inf to spec
4824220bb7 musig-spec: describe NonceGen, NonceAgg, Sign,PartialSig{Verify,Agg}
3c122d0780 musig-spec: improve definition of lift_x
e0bb2d7009 musig-spec: improve KeyAgg description
b8f4e75d89 musig-spec: move to doc directory
070e772211 Faster fixed-input ecmult tests
c8aa516b57 Merge bitcoin-core/secp256k1#1064: Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes ElementsProject#1063
8088eddc53 musig: add test vector for ordinary (non xonly) tweaking
57a17929fc musig: add ordinary and xonly tweaking to the example
37107361a0 musig: allow ordinary, non-xonly tweaking
c519b46879 musig: add pubkey_get to obtain a full pubkey from a keyagg_cache
b797a500ec Create a SECP256K1_ECMULT_TABLE_VERIFY macro.
a731200cc3 Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function.
fe34d9f341 Eliminate input_pos state field from ecmult_strauss_wnaf.
0397d00ba0 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf.
7ba3ffcca0 Remove the unused pre_a_lam allocations.
b3b57ad6ee Eliminate the pre_a_lam array from ecmult_strauss_wnaf.
ae7ba0f922 Remove the unused prej allocations.
e5c18892db Eliminate the prej array from ecmult_strauss_wnaf.
c9da1baad1 Move secp256k1_fe_one to field.h
45f37b6506 Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes ElementsProject#1063.
a5b5909e8d Merge BlockstreamResearch/secp256k1-zkp#163: Typo, add subscript i
44001ad716 Typo fix, add subscript i
eb5e71b5dc Merge BlockstreamResearch/secp256k1-zkp#162: whitelist: remove ability to specific nonce function
11d675dce8 whitelist: remove ability to specific nonce function
21e2d65b79 Merge BlockstreamResearch/secp256k1-zkp#159: Sync Upstream
b7ebe6436c Test APIs of funcs that need an ecmult_gen ctx with static ctx
d895b10c18 musig: mention musig.md in example
588009d26f musig: improve doc of partial_sig_verify regarding signing sessions
72c8deac03 Merge commits with sync-upstream.sh
a1102b1219 Merge bitcoin-core/secp256k1#1029: Simpler and faster ecdh skew fixup
b1094953c4 musig: remove superfluous comment
e82144edfb Fixup skew before global Z fixup
40b624c90b Add tests for _gej_cmov
8c13a9bfe1 ECDH skews by 0 or 1
1515099433 Simpler and faster ecdh skew fixup
39a36db94a Merge bitcoin-core/secp256k1#1054: tests: Fix test whose result is implementation-defined
a310e79ee5 Merge bitcoin-core/secp256k1#1052: Use xoshiro256++ instead of RFC6979 for tests
423b6d19d3 Merge bitcoin-core/secp256k1#964: Add release-process.md
9281c9f4e1 Merge bitcoin-core/secp256k1#1053: ecmult: move `_ecmult_odd_multiples_table_globalz_windowa`
77a19750b4 Use xoshiro256++ PRNG instead of RFC6979 in tests
5f2efe684e secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N)
05e049b73c ecmult: move `_ecmult_odd_multiples_table_globalz_windowa`
3d7cbafb5f tests: Fix test whose result is implementation-defined
3ed0d02bf7 doc: add CHANGELOG template
6f42dc16c8 doc: add release_process.md
0bd3e4243c build: set library version to 0.0.0 explicitly
b4b02fd8c4 build: change libsecp version from 0.1 to 0.1.0-pre
09971a3ffd Merge bitcoin-core/secp256k1#1047: ci: Various improvements
0b83b203e1 Merge bitcoin-core/secp256k1#1030: doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
1287786c7a doc: Add comment to top of field_10x26_impl.h
58da5bd589 doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
b39d431aed Merge bitcoin-core/secp256k1#1044: Add another ecmult_multi test
b4ac1a1d5f ci: Run valgrind/memcheck tasks with 2 CPUs
e70acab601 ci: Use Cirrus "greedy" flag to use idle CPU time when available
d07e30176e ci: Update brew on macOS
22382f0ea0 ci: Test different ecmult window sizes
a69df3ad24 Merge bitcoin-core/secp256k1#816: Improve checks at top of _fe_negate methods
22d25c8e0a Add another ecmult_multi test
515e7953ca Improve checks at top of _fe_negate methods
b2206619e6 Merge BlockstreamResearch/secp256k1-zkp#131: Replace MuSig(1) module with MuSig2
26a022a3a0 ci: Remove STATICPRECOMPUTATION
10461d8bd3 precompute_ecmult: Always compute all tables up to default WINDOW_G
be6944ade9 Merge bitcoin-core/secp256k1#1042: Follow-ups to making all tables fully static
e05da9e480 Fix c++ build
c45386d994 Cleanup preprocessor indentation in precompute{,d}_ecmult{,_gen}
19d96e15f9 Split off .c file from precomputed_ecmult.h
1a6691adae Split off .c file from precomputed_ecmult_gen.h
bb36331412 Simplify precompute_ecmult_print_*
38cd84a0cb Compute ecmult tables at runtime for tests_exhaustive
e458ec26d6 Move ecmult table computation code to separate file
fc1bf9f15f Split ecmult table computation and printing
31feab053b Rename function secp256k1_ecmult_gen_{create_prec -> compute}_table
725370c3f2 Rename ecmult_gen_prec -> ecmult_gen_compute_table
075252c1b7 Rename ecmult_static_pre_g -> precomputed_ecmult
7cf47f72bc Rename ecmult_gen_static_prec_table -> precomputed_ecmult_gen
f95b8106d0 Rename gen_ecmult_static_pre_g -> precompute_ecmult
bae77685eb Rename gen_ecmult_gen_static_prec_table -> precompute_ecmult_gen
ac1e36769d musig: turn off multiexponentiation for now
3c79d97bd9 ci: increase timeout for macOS tasks
22c88815c7 musig: replace MuSig(1) with MuSig2
0559fc6e41 Merge bitcoin-core/secp256k1#988: Make signing table fully static
7dfceceea6 build: Remove #undef hack for ASM in the precomputation programs
bb36fe9be0 ci: Test `make precomp`
d94a37a20c build: Remove CC_FOR_BUILD stuff
ad63bb4c29 build: Prebuild and distribute ecmult_gen table
ac49361ed0 prealloc: Get rid of manual memory management for prealloc contexts
6573c08f65 ecmult_gen: Tidy precomputed file and save space
5eba83f17c ecmult_gen: Precompute tables for all values of ECMULT_GEN_PREC_BITS
5d0dbef018 Merge bitcoin-core/secp256k1#942: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.
486205aa68 Merge bitcoin-core/secp256k1#920: Test all ecmult functions with many j*2^i combinations
fdb33dd122 refactor: Make PREC_BITS a parameter of ecmult_gen_build_prec_table
5eb519e1f6 ci: reduce TEST_ITERS in memcheck run
e2cf77328a Test ecmult functions for all i*2^j for j=0..255 and odd i=1..255.
61ae37c612 Merge bitcoin-core/secp256k1#1022: build: Windows DLL additions
4f01840b82 Merge bitcoin-core/secp256k1#1027: build: Add a check that Valgrind actually supports a host platform
6ad908aa00 Merge bitcoin-core/secp256k1#1008: bench.c: add `--help` option and ci: move env variables
592661c22f ci: move test environment variable declaration to .cirrus.yml
dcbe84b841 bench: add --help option to bench.
099bad945e Comment and check a parameter for inf in secp256k1_ecmult_const.
6c0be857f8 Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set.
4900227451 Merge bitcoin-core/secp256k1#1025: build: replace backtick command substitution with $()
7c7ce872a5 build: Add a check that Valgrind actually supports a host platform
a4875e30a6 refactor: Move default callbacks to util.h
4c94c55bce doc: Remove obsolete hint for valgrind stack size
5106226991 exhaustive_tests: Fix with ecmult_gen table with custom generator
e1a76530db refactor: Make generator a parameter of ecmult_gen_create_prec_table
9ad09f6911 refactor: Rename program that generates static ecmult_gen table
8ae18f1ab3 refactor: Rename file that contains static ecmult_gen table
00d2fa116e ecmult_gen: Make code consistent with comment
3b0c2185ea ecmult_gen: Simplify ecmult_gen context after making table static
2b7c7497ef build: replace backtick command substitution with $()
49f608de47 Merge bitcoin-core/secp256k1#1004: ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
c0cd7de6d4 build: add -no-undefined to libtool LDFLAGS
fe32a79d35 build: pass win32-dll to LT_INIT
60bf8890df ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
fecf436d53 Merge bitcoin-core/secp256k1#1019: build: don't append valgrind CPPFLAGS if not installed (macOS)
2e5e4b67df Merge bitcoin-core/secp256k1#1020: doc: remove use of <0xa0> "no break space"
812ff5c747 doc: remove use of 0xa0 "no break space"
214042a170 build: don't append valgrind CPPFLAGS if not installed
e43ba02cfc refactor: Decouple table generation and ecmult_gen context
22dc2c0a0d ecmult_gen: Move table creation to new file and force static prec
793ad9016a Merge bitcoin-core/secp256k1#1010: doc: Minor fixes in safegcd_implementation.md
dc9b6853b7 doc: Minor fixes in safegcd_implementation.md
ea5e8a9c47 Merge bitcoin-core/secp256k1#1012: Fix typos
233297579d Fix typos
7006f1b97f Merge bitcoin-core/secp256k1#1011: ci: Enable -g if we set CFLAGS manually
72de1359e9 ci: Enable -g if we set CFLAGS manually
74c34e727b Merge bitcoin-core/secp256k1#1009: refactor: Use (int)&(int) in boolean context to avoid compiler warning
16d132215c refactor: Use (int)&(int) in boolean context to avoid compiler warning
c74a7b7e51 Merge bitcoin-core/secp256k1#1007: doc: Replace apoelstra's GPG key by jonasnick's GPG key
3b157c48ed doc: Suggest keys.openpgp.org as keyserver in SECURITY.md
73a7472cd0 doc: Replace apoelstra's GPG key by jonasnick's GPG key
515a5dbd02 Merge bitcoin-core/secp256k1#991: Merge all "external" benchmarks into a single bench binary
af6abcb3d0 Make bench support selecting which benchmarks to run
9f56bdf5b9 Merge bench_schnorrsig into bench
3208557ae1 Merge bench_recover into bench
855e18d8a8 Merge bench_ecdh into bench
2a7be678a6 Combine bench_sign and bench_verify into single bench
8fa41201bd Merge bitcoin-core/secp256k1#1002: Make aux_rnd32==NULL behave identical to 0x0000..00.
5324f8942d Make aux_rnd32==NULL behave identical to 0x0000..00.
21c188b3c5 Merge bitcoin-core/secp256k1#943: VERIFY_CHECK precondition for secp256k1_fe_set_int.
3e7b2ea194 Merge bitcoin-core/secp256k1#999: bench_ecmult: improve clarity of output
23e2f66726 bench: don't return 1 in have_flag() if argc = 1
96b1ad2ea9 bench_ecmult: improve clarity of output
20d791edfb Merge bitcoin-core/secp256k1#989: Shared benchmark format for command line and CSV outputs
aa1b889b61 Merge bitcoin-core/secp256k1#996: Fix G.y parity in sage code
044d956305 Fix G.y parity in sage code
b4b130678d create csv file from the benchmark output
26a255beb6 Shared benchmark format for command line and CSV outputs
9526874d14 Merge bitcoin-core/secp256k1#810: Avoid overly-wide multiplications in 5x52 field mul/sqr
6b8733577e Merge BlockstreamResearch/secp256k1-zkp#147: whitelist: fix SECP256K1_WHITELIST_MAX_N_KEYS constant
920a0e5fa6 Merge bitcoin-core/secp256k1#952: Avoid computing out-of-bounds pointer.
f34b5cae03 Merge bitcoin-core/secp256k1#983: [RFC] Remove OpenSSL testing support
27d1c3b6a1 whitelist: add test for MAX_N_KEYS
c8ac14d9dc whitelist: fix SECP256K1_WHITELIST_MAX_N_KEYS constant
297ce82091 Merge bitcoin-core/secp256k1#966: Make aux_rand32 arg to secp256k1_schnorrsig_sign const
2888640132 VERIFY_CHECK precondition for secp256k1_fe_set_int.
d49011f54c Make _set_fe_int( . , 0 ) set magnitude to 0
e290c0f835 Merge BlockstreamResearch/secp256k1-zkp#148: fix a couple things to make Elements 22's linter happy
7812feb896 Merge BlockstreamResearch/secp256k1-zkp#144: Upstream PRs 969, 956, 783, 976
b9ebee1490 fix a couple things to make Elements 22's linter happy
bc08599e77 Remove OpenSSL testing support
10f9bd84f4 Merge bitcoin-core/secp256k1#987: Fix unused parameter warnings when building without VERIFY
189f6bcfef Fix unused parameter warnings when building without VERIFY
da0092bccc Merge bitcoin-core/secp256k1#986: tests: remove `secp256k1_fe_verify` from tests.c and modify `_fe_from_storage` to call `_fe_verify`
d43993724d tests: remove `secp256k1_fe_verify` from tests.c and modify `secp256k1_fe_from_storage` to call `secp256k1_fe_verify`
7fec4e7acc Merge BlockstreamResearch/secp256k1-zkp#145: sync-upstream: fix quoting
938725c1c9 Merge commits 'd7ec49a6 9a5a87e0 aa5d34a8 2a3a97c6 ' into temp-merge-976
95ee1fa030 sync-upstream: fix quoting
2a3a97c665 Merge bitcoin-core/secp256k1#976: `secp256k1_schnorrsig_sign_internal` should be static
aa5d34a8fe Merge bitcoin-core/secp256k1#783: Make the public API docs more consistent and explicit
72713872a8 Add missing static to secp256k1_schnorrsig_sign_internal
db4667d5e0 Make aux_rand32 arg to secp256k1_schnorrsig_sign const
9a5a87e0f1 Merge bitcoin-core/secp256k1#956: Replace ecmult_context with a generated static array.
20abd52c2e Add tests for pre_g tables.
6815761cf5 Remove ecmult_context.
f20dcbbad1 Correct typo.
16a3cc07e8 Generate ecmult_static_pre_g.h
8de2d86a06 Bump memory limits in advance of making the ecmult context static.
d7ec49a689 Merge bitcoin-core/secp256k1#969: ci: Fixes after Debian release
5d5c74a057 tests: Rewrite code to circument potential bug in clang
3d2f492ceb ci: Install libasan6 (instead of 5) after Debian upgrade
9447642140 Merge BlockstreamResearch/secp256k1-zkp#142: musig: fix session_init argument NULL check
9124ce0d9c musig: fix session_init argument NULL check
881b15cb43 Merge BlockstreamResearch/secp256k1-zkp#139: musig: use tagged hash for the list of pubkeys to aggregate
8f093be374 musig: use tagged hash for the list of pubkeys to aggregate
a6a768a4bf musig: make key agg test vector more precise
adec5a1638 Add missing null check for ctx and input keys in the public API
f4edfc7581 Improve consistency for NULL arguments in the public interface
9be7b0f083 Avoid computing out-of-bounds pointer.
b53e0cd61f Avoid overly-wide multiplications

git-subtree-dir: src/secp256k1
git-subtree-split: 7a30cb0c9d99ab195c461a6fb4e654cd4ef19a8d
@ariard ariard mentioned this pull request Aug 11, 2022
28 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.