Update secp256k1 subtree (including BIP340 support)

sipa commented at 7:48 pm on September 11, 2020: member

This updates our src/secp256k1 subtree to the latest libsecp256k1 upstream version.

As it adds BIP340 support (see https://github.com/bitcoin-core/secp256k1/pull/558), this is a prerequisite for #17977. In particular, it contains:

A few generic library improvements
Support for x-only public keys as used by BIP340.
Support for “key pair” objects, making signing more efficient by using a precomputed public key.
Signing support for BIP340 Schnorr (single-party) signatures.
Verification support for BIP340 Schnorr signatures.
Support for verifying tweaked x-only keys, as used by BIP341’s Taproot construction.

Things that are not included:

MuSig, nor any kind of multisignatures, threshold signatures, … on top.
Batch verification.
Support for variable-length messages in BIP340 (which are still being discussed, but won’t affect BIP341, or Bitcoin Core).
A few more generic improvements that are still in the pipeline, including faster modular inversions.

Squashed 'src/secp256k1/' changes from 2ed54da18a..8ab24e8dad

8ab24e8dad Merge #558: Add schnorrsig module which implements BIP-340 compliant signatures
f3733c5433 Merge #797: Fix Jacobi benchmarks and other benchmark improvements
cb5524adc5 Add benchmark for secp256k1_ge_set_gej_var
5c6af60ec5 Make jacobi benchmarks vary inputs
d0fdd5f009 Randomize the Z coordinates in bench_internal
c7a3424c5f Rename bench_internal variables
875d68b95f Merge #699: Initialize field elements when resulting in infinity
54caf2e74f Merge #799: Add fallback LE/BE for architectures with known endianness + SHA256 selftest
f431b3f28a valgrind_ctime_test: Add schnorrsig_sign
16ffa9d97c schnorrsig: Add taproot test case
8dfd53ee3f schnorrsig: Add benchmark for sign and verify
4e43520026 schnorrsig: Add BIP-340 compatible signing and verification
7332d2db6b schnorrsig: Add BIP-340 nonce function
7a703fd97d schnorrsig: Init empty experimental module
eabd9bc46a Allow initializing tagged sha256
6fcb5b845d extrakeys: Add keypair_xonly_tweak_add
58254463f9 extrakeys: Add keypair struct with create, pub and pub_xonly
f0010349b8 Separate helper functions for pubkey_create and seckey_tweak_add
910d9c284c extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test
176bfb1110 Separate helper function for ec_pubkey_tweak_add
4cd2ee474d extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey
f49c9896b0 Merge #806: Trivial: Add test logs to gitignore
aabf00c155 Merge #648: Prevent ints from wrapping around in scratch space functions
f5adab16a9 Merge #805: Remove the extremely outdated TODO file.
bceefd6547 Add test logs to gitignore
1c325199d5 Remove the extremely outdated TODO file.
47e6618e11 extrakeys: Init empty experimental module
3e08b02e2a Make the secp256k1_declassify argument constant
8bc6aeffa9 Add SHA256 selftest
670cdd3f8b Merge #798: Check assumptions on integer implementation at compile time
5e5fb28b4a Use additional system macros to figure out endianness
7c068998ba Compile-time check assumptions on integer types
02b6c87b52 Add support for (signed) __int128
979961c506 Merge #787: Use preprocessor macros instead of autoconf to detect endianness
887bd1f8b6 Merge #793: Make scalar/field choice depend on C-detected __int128 availability
0dccf98a21 Use preprocessor macros instead of autoconf to detect endianness
b2c8c42cf1 Merge #795: Avoid linking libcrypto in the valgrind ct test.
57d3a3c64c Avoid linking libcrypto in the valgrind ct test.
79f1f7a4f1 Autodetect __int128 availability on the C side
0d7727f95e Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field
805082de11 Merge #696: Run a Travis test on s390x (big endian)
39295362cf Test travis s390x (big endian)
6034a04fb1 Merge #778: secp256k1_gej_double_nonzero supports infinity
f60915906d Merge #779: travis: Fix argument quoting for ./configure
9e49a9b255 travis: Fix argument quoting for ./configure
18d36327fd secp256k1_gej_double_nonzero supports infinity
214cb3c321 Merge #772: Improve constant-timeness on PowerPC
40412b1930 Merge #774: tests: Abort if malloc() fails during context cloning tests
2e1b9e0458 tests: Abort if malloc() fails during context cloning tests
67a429f31f Suppress a harmless variable-time optimization by clang in _int_cmov
5b196338f0 Remove redundant "? 1 : 0" after comparisons in scalar code
3e5cfc5c73 Merge #741: Remove unnecessary sign variable from wnaf_const
66bb9320c0 Merge #773: Fix some compile problems on weird/old compilers.
1309c03c45 Fix some compile problems on weird/old compilers.
2309c7dd4a Merge #769: Undef HAVE___INT128 in basic-config.h to fix gen_context compilation
22e578bb11 Undef HAVE___INT128 in basic-config.h to fix gen_context compilation
3f4a5a10e4 Merge #765: remove dead store in ecdsa_signature_parse_der_lax
f00d6575ca remove dead store in ecdsa_signature_parse_der_lax
dbd41db16a Merge #759: Fix uninitialized variables in ecmult_multi test
2e7fc5b537 Fix uninitialized variables in ecmult_multi test
37dba329c6 Remove unnecessary sign variable from wnaf_const
6bb0b77e15 Fix test_constant_wnaf for -1 and add a test for it.
47a7b8382f Clear field elements when writing infinity
61d1ecb028 Added test with additions resulting in infinity
60f7f2de5d Don't assume that ALIGNMENT > 1 in tests
ada6361dec Use ROUND_TO_ALIGN in scratch_create
8ecc6ce50e Add check preventing rounding to alignment from wrapping around in scratch_alloc
4edaf06fb0 Add check preventing integer multiplication wrapping around in scratch_max_allocation

git-subtree-dir: src/secp256k1
git-subtree-split: 8ab24e8dad9d43fc6661842149899e3cc9213b24

b9c1a76481

Update src/secp256k1 subtree to upstream libsecp256k1 894fb33f4c

real-or-random commented at 7:51 pm on September 11, 2020: member

We still have #19263 open but this should not stop us from updating here.

DrahtBot added the label Build system on Sep 11, 2020

instagibbs commented at 8:10 pm on September 11, 2020: member

Ran the subtree linter locally, manually checking hashes:

0src/secp256k1 in HEAD currently refers to tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7
1src/secp256k1 in HEAD was last updated in commit b9c1a7648131c5deec9704ee9acd00ec1820b9ce (tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7)
2src/secp256k1 in HEAD was last updated to upstream commit 8ab24e8dad9d43fc6661842149899e3cc9213b24 (tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7)
3GOOD

Also as an exercise, ran the same update exercise, code matches:

0git subtree pull --prefix src/secp256k1 https://github.com/bitcoin-core/secp256k1.git 8ab24e8dad9d43fc6661842149899e3cc9213b24 --squash

ACK 894fb33f4c1b24667891f7d2aff9f486177b1173

benthecarman approved

benthecarman commented at 8:44 pm on September 11, 2020: contributor

0$ ./test/lint/git-subtree-check.sh src/secp256k1
1src/secp256k1 in HEAD currently refers to tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7
2src/secp256k1 in HEAD was last updated in commit b9c1a7648131c5deec9704ee9acd00ec1820b9ce (tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7)
3src/secp256k1 in HEAD was last updated to upstream commit 8ab24e8dad9d43fc6661842149899e3cc9213b24 (tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7)
4GOOD

ACK 894fb33

luke-jr commented at 7:55 pm on September 12, 2020: member

Looks like this bump unconditionally forces Valgrind calls on systems with Valgrind headers. Opened https://github.com/bitcoin-core/secp256k1/pull/813 to address.

gmaxwell commented at 2:07 am on September 14, 2020: contributor

@luke-jr Nothing about this PR changes behaviour with respect to valgrind (see my comments on the linked issue).

[The line change at https://github.com/bitcoin/bitcoin/pull/19944/files#diff-54d0bb117d455c49976ee2aa20b140eaL102 is just changing it so that the standalone constant time test binary doesn’t link openssl if openssl is being used by the test for comparison testing.]

fanquake commented at 3:50 am on September 14, 2020: member

ACK 894fb33f4c1b24667891f7d2aff9f486177b1173. Any Valgrind concerns will be addressed upstream, see discussion in https://github.com/bitcoin-core/secp256k1/pull/813, and if necessary, can be pulled into our tree prior to the 0.21.0 branch off. They are not a blocker for merging this PR in it’s current state.

 0➜  bitcoin-merge-tree git:(pull/19944/local-merge) git fetch https://github.com/bitcoin-core/secp256k1
 1remote: Enumerating objects: 6, done.
 2remote: Counting objects: 100% (6/6), done.
 3remote: Compressing objects: 100% (5/5), done.
 4remote: Total 5566 (delta 1), reused 2 (delta 1), pack-reused 5560
 5Receiving objects: 100% (5566/5566), 2.39 MiB | 1023.00 KiB/s, done.
 6Resolving deltas: 100% (3887/3887), done.
 7From https://github.com/bitcoin-core/secp256k1
 8 * branch                HEAD       -> FETCH_HEAD
 9➜  bitcoin-merge-tree git:(pull/19944/local-merge) ./test/lint/git-subtree-check.sh src/secp256k1
10src/secp256k1 in HEAD currently refers to tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7
11src/secp256k1 in HEAD was last updated in commit b9c1a7648131c5deec9704ee9acd00ec1820b9ce (tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7)
12src/secp256k1 in HEAD was last updated to upstream commit 8ab24e8dad9d43fc6661842149899e3cc9213b24 (tree 1b2db0573d7c4f2f90589da7886816d0db73b8c7)
13GOOD

fanquake merged this on Sep 14, 2020

fanquake closed this on Sep 14, 2020

sidhujag referenced this in commit 711b81967a on Sep 15, 2020

str4d referenced this in commit 53ba8172c8 on Oct 1, 2020

zkbot referenced this in commit af274b66b3 on Oct 1, 2020

zkbot referenced this in commit f709b1a6c6 on Oct 21, 2020

zkbot referenced this in commit cafc622a22 on Oct 21, 2020

UdjinM6 referenced this in commit c2ab8285d8 on Aug 10, 2021

5tefan referenced this in commit abf9ac837f on Aug 12, 2021

DrahtBot locked this on Feb 15, 2022

Update secp256k1 subtree (including BIP340 support) #19944