Make ec_ arithmetic more consistent and add documentation #701

pull jonasnick wants to merge 10 commits into bitcoin-core:master from jonasnick:arithmetic-consistency changing 9 files +290 −92
  1. jonasnick commented at 5:29 pm on December 17, 2019: contributor

    Fixes #671. Supersedes #668.

    This PR unifies handling of invalid secret keys by introducing a new function scalar_set_b32_secret which returns false if the b32 overflows or is 0. By using this in privkey_{negate, tweak_add, tweak_mul} these function will now return 0 if the secret key is invalid which matches the behavior of ecdsa_sign and pubkey_create.

    Instead of deciding whether to zeroize the secret key on failure, I only added documentation for now that the value is undefined on failure.

  2. jonasnick cross-referenced this on Dec 17, 2019 from issue Return 0 if invalid seckey is given to ec_privkey_negate by jonasnick
  3. in src/tests.c:1156 in 51425ee06b outdated
    1148+        /* A scalar with value of the curve order minus one should not overflow. */
    1149+        bin[31] -= 1;
    1150+        secp256k1_scalar_set_b32(&scalar, bin, &overflow);
    1151+        CHECK(overflow == 0);
    1152+        secp256k1_scalar_get_b32(bin_tmp, &scalar);
    1153+        CHECK(memcmp(bin, bin_tmp, 32) == 0);
    


    real-or-random commented at 10:51 am on December 18, 2019:
    The test is correct but I wonder why this roundtrip test is there for this special value and only for this one. Was there was anything particular you had in mind here?

    jonasnick commented at 2:01 pm on December 19, 2019:
    It’s probably the only roundtrip because it’s the only one which doesn’t overlow and which can not be easily tested with scalar_is_zero.
  4. in include/secp256k1.h:607 in 27b9dbfdf8 outdated
    601@@ -599,9 +602,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
    602 
    603 /** Tweak a private key by adding tweak to it.
    604  * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
    605- *          uniformly random 32-byte arrays, or if the resulting private key
    606- *          would be invalid (only when the tweak is the complement of the
    607- *          private key). 1 otherwise.
    608+ *          uniformly random 32-byte arrays, or if the given private key is
    609+ *          invalid according to secp256k1_ec_seckey_verify, or if the resulting
    610+ *          private key would be invalid (only when the tweak is the complement
    


    real-or-random commented at 11:15 am on December 18, 2019:

    Maybe “negated private key” instead of “complement”?

    Is this really the only case? What about overflows?


    real-or-random commented at 11:17 am on December 18, 2019:
    This should also document what the valid range for a tweak is? (I guess every scalar?)

    apoelstra commented at 11:14 pm on January 24, 2020:
    Also, missing an ) after “32-byte arrays”. (This was a preexisting problem but we should fix it now.)

    jonasnick commented at 4:18 pm on January 25, 2020:
    @apoelstra should be fixed in the latest commit.
  5. in include/secp256k1.h:623 in 27b9dbfdf8 outdated
    617@@ -614,9 +618,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
    618 
    619 /** Tweak a public key by adding tweak times the generator to it.
    620  * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
    621- *          uniformly random 32-byte arrays, or if the resulting public key
    622- *          would be invalid (only when the tweak is the complement of the
    623- *          corresponding private key). 1 otherwise.
    624+ *          uniformly random 32-byte arrays, or if the given private key is
    625+ *          invalid according to secp256k1_ec_seckey_verify, or if the resulting
    626+ *          public key would be invalid (only when the tweak is the complement
    


    real-or-random commented at 11:15 am on December 18, 2019:
    same here

    apoelstra commented at 11:15 pm on January 24, 2020:
    same ) issue here
  6. in src/secp256k1.c:529 in 27b9dbfdf8 outdated
    525@@ -526,7 +526,9 @@ int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *sec
    526     VERIFY_CHECK(ctx != NULL);
    527     ARG_CHECK(seckey != NULL);
    528 
    529-    secp256k1_scalar_set_b32(&sec, seckey, NULL);
    530+    if(!secp256k1_scalar_set_b32_seckey(&sec, seckey)) {
    


    real-or-random commented at 11:16 am on December 18, 2019:
    nit: spacing

    jonasnick commented at 1:54 pm on December 19, 2019:
    fixed
  7. in include/secp256k1.h:588 in 7cfb1fe492 outdated
    583@@ -584,7 +584,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(
    584  *           secp256k1_ec_seckey_verify. 1 otherwise
    585  *  Args:   ctx:        pointer to a context object
    586  *  In/Out: seckey:     pointer to the 32-byte private key to be negated. The private
    587- *                      key should be valid according to secp256k1_ec_seckey_verify
    588+ *                      key should be valid according to secp256k1_ec_seckey_verify.
    589+ *                      Value becomes undefined if this function returns 0.
    


    real-or-random commented at 11:21 am on December 18, 2019:
    Can we say “unspecified”? “Undefined” comes with that weird terrifying sound of undefined behavior.
  8. real-or-random commented at 11:22 am on December 18, 2019: contributor
    Nice! Looks good except nits.
  9. jonasnick force-pushed on Dec 19, 2019
  10. jonasnick commented at 1:56 pm on December 19, 2019: contributor

    @real-or-random I added a commit that rephrases the docs. Let me know if you think that’s better.

    (Also, I replaced secp256k1_rand256_test with secp256k1_rand256 because the former is apparently not random, may produce invalid seckeys and travis randomly hit that in one of the test configurations).

  11. jonasnick force-pushed on Jan 5, 2020
  12. jonasnick commented at 12:45 pm on January 5, 2020: contributor
    Removed the (attempted) constant time AND in set_b32_seckey as per @sipa’s suggestion
  13. real-or-random commented at 1:01 pm on January 6, 2020: contributor
    Is there a reason to believe that this will break downstream code (because it changes the API)?
  14. in include/secp256k1.h:669 in c2445648ce outdated
    682+ * In/Out: seckey: pointer to a 32-byte secret key. If this function returns 0,
    683+ *                 seckey will be some unspecified value. (cannot be NULL).
    684+ * In:     tweak:  pointer to a 32-byte tweak. Must be in the same range as secret
    685+ *                 keys (see secp256k1_ec_seckey_verify). For uniformly random
    686+ *                 32-byte arrays the chance of being out of range is
    687+ *                 negligible (around 1 in 2^128). (cannot be NULL)
    


    dr-orlovsky commented at 0:07 am on January 11, 2020:

    while the changes are negligible, if one is aimed to write a deterministic code (like in the case of rust wrapper), it may be good to cover this case as well.

    It is possible to add to the docs that in case tweak<Z_p, the function will return 0? Also, do you see any value of differentiating between tweak<Z_p and point at infinity cases? Right now both will return 0, but from the end-user perspective the first case requires change of the tweaking factor, while the second may be solved just by using a different public key…


    real-or-random commented at 10:57 am on January 11, 2020:

    while the changes are negligible, if one is aimed to write a deterministic code (like in the case of rust wrapper), it may be good to cover this case as well.

    Believe me, you don’t care about a failure probability of 2^-128. It’s astronomically small. It’s much smaller than the probability of a hardware error (e.g., RAM returns wrong value). You can simply abort in this case.

  15. in src/tests.c:4002 in 878fe77b9e outdated
    3993@@ -3994,6 +3994,16 @@ void run_eckey_edge_case_test(void) {
    3994     CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
    3995     CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
    3996     memcpy(&pubkey, &pubkey2, sizeof(pubkey));
    3997+    /* Overflowing key zeroizes */
    3998+    memcpy(ctmp, orderc, 32);
    3999+    memset(ctmp2, 0, 32);
    4000+    ctmp2[31] = 0x01;
    4001+    CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
    4002+    CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 0);
    


    apoelstra commented at 11:19 pm on January 24, 2020:
    Can you add a check with ctmp and ctmp2 swapped? Or maybe there is little value in this since both of these are invalid.

    jonasnick commented at 4:51 pm on January 25, 2020:
    Are you suggesting to test this function with an overflowing tweak? That should happen a couple of lines below. I pushed a commit to make the comments more clear.
  16. apoelstra approved
  17. apoelstra commented at 0:20 am on January 25, 2020: contributor
    ack except nits
  18. gmaxwell commented at 2:55 am on January 25, 2020: contributor
    @jonasnick the _test rng’s are biased intentionally to hit corner cases and it worked perfectly there if it detected that your scalar generation was generating an invalid scalar. Maybe you want random_scalar_order_test or random_scalar_order instead? It’s better to make the tests not fail even with rare values because they can also be moved over to smaller groups where the failures would be common.
  19. jonasnick commented at 4:54 pm on January 25, 2020: contributor
    @gmaxwell Thanks, random_scalar_order is almost what I was looking for and agree that it’s better than rand256. I added a function similar to random_scalar_order but returning a byte array.
  20. real-or-random commented at 1:59 pm on January 27, 2020: contributor
    Can you squash this?
  21. jonasnick force-pushed on Jan 27, 2020
  22. real-or-random cross-referenced this on Feb 3, 2020 from issue Eliminate harmless non-constant time operations on secret data. by gmaxwell
  23. jonasnick force-pushed on Feb 7, 2020
  24. jonasnick force-pushed on Mar 7, 2020
  25. jonasnick force-pushed on Mar 7, 2020
  26. jonasnick commented at 9:47 pm on March 7, 2020: contributor
    Rebasing required a bit of thought due to #710. Please have a look.
  27. jonasnick force-pushed on Mar 12, 2020
  28. jonasnick commented at 10:53 pm on March 12, 2020: contributor
    I improved ecdsa_sign’s uses of secp256k1_scalar_set_b32_seckey a little bit.
  29. in include/secp256k1.h:554 in bcd79c0d4c outdated
    550@@ -551,7 +551,10 @@ SECP256K1_API int secp256k1_ecdsa_sign(
    551     const void *ndata
    552 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
    553 
    554-/** Verify an ECDSA secret key.
    555+/** Verify an ECDSA secret key. It is valid if it is not 0 and less than the
    


    real-or-random commented at 6:43 am on March 13, 2020:
    nit: usually we have a one-sentence description, then an empty line and then more text in our doc comments. (I admit it’s not consistent everywhere)

    jonasnick commented at 2:15 pm on March 20, 2020:
    fixed
  30. in include/secp256k1.h:556 in bcd79c0d4c outdated
    550@@ -551,7 +551,10 @@ SECP256K1_API int secp256k1_ecdsa_sign(
    551     const void *ndata
    552 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
    553 
    554-/** Verify an ECDSA secret key.
    555+/** Verify an ECDSA secret key. It is valid if it is not 0 and less than the
    556+ *  secp256k1 curve order when interpreted as an integer (most significant byte
    557+ *  first). The probability of choosing a 32-byte string at random which is an
    


    real-or-random commented at 6:46 am on March 13, 2020:
    maybe “uniformly” (if only for consistency with the other functions)

    jonasnick commented at 2:15 pm on March 20, 2020:
    fixed
  31. in include/secp256k1.h:627 in bcd79c0d4c outdated
    630+ *                  function returns 0, seckey will be some unspecified
    631+ *                  value. (cannot be NULL)
    632+ * In:       tweak: pointer to a 32-byte tweak. Must be in the same range as secret
    633+ *                  keys (see secp256k1_ec_seckey_verify). For uniformly random
    634+ *                  32-byte arrays the chance of being out of range is
    635+ *                  negligible (around 1 in 2^128). (cannot be NULL)
    


    real-or-random commented at 6:48 am on March 13, 2020:
    related to line 617: Is it really the tweak that must be in range or the resulting secret key? I think both?

    jonasnick commented at 2:16 pm on March 20, 2020:
    I don’t understand what you’re suggesting. Yes, the tweak must be in range. The resulting seckey will be in range if the tweak is not the negation of the seckey.
  32. in include/secp256k1.h:653 in bcd79c0d4c outdated
    662+ * In/Out:  pubkey: pointer to a public key object. If this function returns 0,
    663+ *                  pubkey will be invalid. (cannot be NULL).
    664+ * In:      tweak:  pointer to a 32-byte tweak. Must be in the same range as secret
    665+ *                  keys (see secp256k1_ec_seckey_verify). For uniformly random
    666+ *                  32-byte arrays the chance of being out of range is
    667+ *                  negligible (around 1 in 2^128). (cannot be NULL)
    


    real-or-random commented at 6:48 am on March 13, 2020:
    same as above
  33. in src/secp256k1.c:474 in bcd79c0d4c outdated
    470@@ -471,7 +471,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
    471     secp256k1_scalar r, s;
    472     secp256k1_scalar sec, non, msg;
    473     int ret = 0;
    474-    int overflow = 0;
    475+    int is_sec_valid;
    


    real-or-random commented at 6:53 am on March 13, 2020:

    Neat! This really improves the logic in the signing function.

    Now actually with the duplicate code, we should do this in the recover module as well… Not sure in which order to perform the changes. :/ Do you have a suggestion?


    jonasnick commented at 2:16 pm on March 20, 2020:
    Afaics it’s just wasted work if we fix the duplicated recovery code. Better to make recovery use the common code in a separate PR (right after this one).
  34. in src/tests.c:4004 in bcd79c0d4c outdated
    4002     CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
    4003     CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
    4004     memcpy(&pubkey, &pubkey2, sizeof(pubkey));
    4005-    /* Overflowing key tweak zeroizes. */
    4006+    /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
    4007+    seckey, the seckey is zeroized. */
    


    real-or-random commented at 7:00 am on March 13, 2020:
    Here they’re not called with an overflowing seckey but the resulting seckey would overflow.

    jonasnick commented at 2:16 pm on March 20, 2020:
    No, seckey is equal to orderc which is overflowing. Added CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
  35. in src/scalar_impl.h:61 in bcd79c0d4c outdated
    54@@ -55,6 +55,12 @@ static void secp256k1_scalar_order_get_num(secp256k1_num *r) {
    55 }
    56 #endif
    57 
    58+static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin) {
    59+  int overflow;
    60+  secp256k1_scalar_set_b32(r, bin, &overflow);
    61+  return (!overflow) & (!secp256k1_scalar_is_zero(r));
    


    real-or-random commented at 7:11 am on March 13, 2020:
    nit: indentation I only point it out here but it’s wrong in many functions you added.

    jonasnick commented at 2:16 pm on March 20, 2020:
    Ugh, fixed, but only saw this in one other function (run_scalar_set_b32_seckey_tests)
  36. in include/secp256k1.h:602 in bcd79c0d4c outdated
    598+    const secp256k1_context* ctx,
    599+    unsigned char *seckey
    600+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
    601+
    602+/** Same as secp256k1_ec_seckey_negate, but DEPRECATED. Will be removed in
    603+ *  future versions. */
    


    real-or-random commented at 7:16 am on March 13, 2020:
    Can you change the calls in the codebase to the seckey variants? For example https://github.com/bitcoin-core/secp256k1/blob/master/src/valgrind_ctime_test.c#L76

    jonasnick commented at 2:16 pm on March 20, 2020:
    Done
  37. in include/secp256k1.h:619 in bcd79c0d4c outdated
    612@@ -599,57 +613,85 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
    613     secp256k1_pubkey *pubkey
    614 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
    615 
    616-/** Tweak a private key by adding tweak to it.
    617- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
    618- *          uniformly random 32-byte arrays, or if the resulting private key
    619- *          would be invalid (only when the tweak is the complement of the
    620- *          private key). 1 otherwise.
    621+/** Tweak a secret key by adding tweak to it.
    


    real-or-random commented at 7:19 am on March 13, 2020:
    nit: Now that you’re rewriting those, can you add an empty line here? (same for the other tweak functions)

    jonasnick commented at 2:17 pm on March 20, 2020:
    Done
  38. in src/eckey_impl.h:60 in bcd79c0d4c outdated
    53@@ -54,10 +54,7 @@ static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *p
    54 
    55 static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak) {
    56     secp256k1_scalar_add(key, key, tweak);
    57-    if (secp256k1_scalar_is_zero(key)) {
    58-        return 0;
    59-    }
    60-    return 1;
    


    real-or-random commented at 7:24 am on March 13, 2020:
    Huh, shouldn’t this have been caught by the new constant time test?

    jonasnick commented at 2:17 pm on March 20, 2020:
    Presumably the compiler optimized away the branching
  39. in include/secp256k1.h:645 in bcd79c0d4c outdated
    652- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
    653- *          uniformly random 32-byte arrays, or if the resulting public key
    654- *          would be invalid (only when the tweak is the complement of the
    655- *          corresponding private key). 1 otherwise.
    656+ * Returns: 0 if the resulting public key would be invalid (only when the tweak
    657+ *          is the negation of the corresponding secret key). 1 otherwise.
    


    real-or-random commented at 7:36 am on March 13, 2020:
    What if the tweak itself is out of range?

    jonasnick commented at 2:17 pm on March 20, 2020:
    Added a commit to clarify
  40. in include/secp256k1.h:589 in bcd79c0d4c outdated
    588+ *  Returns: 0 if the given secret key is invalid according to
    589+ *           secp256k1_ec_seckey_verify. 1 otherwise
    590  *  Args:   ctx:        pointer to a context object
    591- *  In/Out: seckey:     pointer to the 32-byte private key to be negated (cannot be NULL)
    592+ *  In/Out: seckey:     pointer to the 32-byte secret key to be negated. The secret
    593+ *                      key should be valid according to secp256k1_ec_seckey_verify.
    


    real-or-random commented at 7:40 am on March 13, 2020:
    nit: “should” is somewhat imprecise. suggestion: “If the secret key is invalid according to secp256k1_ec_seckey_verify, this function returns 0 and seckey will be set to some unspecified value.”

    jonasnick commented at 2:17 pm on March 20, 2020:
    fixed in separate commit
  41. in include/secp256k1.h:620 in bcd79c0d4c outdated
    623+ *          is the negation of the secret key). 1 otherwise.
    624  * Args:    ctx:    pointer to a context object (cannot be NULL).
    625- * In/Out:  seckey: pointer to a 32-byte private key.
    626- * In:      tweak:  pointer to a 32-byte tweak.
    627- */
    628+ * In/Out:  seckey: pointer to a 32-byte secret key. The secret key should be
    


    real-or-random commented at 7:41 am on March 13, 2020:
    same as above

    jonasnick commented at 2:17 pm on March 20, 2020:
    fixed
  42. in include/secp256k1.h:617 in bcd79c0d4c outdated
    617- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
    618- *          uniformly random 32-byte arrays, or if the resulting private key
    619- *          would be invalid (only when the tweak is the complement of the
    620- *          private key). 1 otherwise.
    621+/** Tweak a secret key by adding tweak to it.
    622+ * Returns: 0 if the resulting secret key would be invalid (only when the tweak
    


    real-or-random commented at 7:41 am on March 13, 2020:
    What if the tweak itself is out of range?

    jonasnick commented at 2:18 pm on March 20, 2020:
    fixed
  43. in include/secp256k1.h:624 in bcd79c0d4c outdated
    627- */
    628+ * In/Out:  seckey: pointer to a 32-byte secret key. The secret key should be
    629+ *                  valid according to secp256k1_ec_seckey_verify. If this
    630+ *                  function returns 0, seckey will be some unspecified
    631+ *                  value. (cannot be NULL)
    632+ * In:       tweak: pointer to a 32-byte tweak. Must be in the same range as secret
    


    real-or-random commented at 7:43 am on March 13, 2020:
    “must” is similar to “should” here. I guess it’s better to specify the consequences if it’s not in range, then the function will return 0.

    jonasnick commented at 2:18 pm on March 20, 2020:
    fixed
  44. real-or-random commented at 7:50 am on March 13, 2020: contributor

    Sorry for the many comments now, I probably could have pointed out some of those things earlier.

    Since there are invalid tweaks, do we need a tweak_verify function?

  45. jonasnick force-pushed on Mar 20, 2020
  46. jonasnick cross-referenced this on Mar 23, 2020 from issue Make use of constant time ecdsa_sign code in ecdsa_sign_recoverable by jonasnick
  47. in src/secp256k1.c:573 in 08b28cbc04 outdated
    571-    return 1;
    572+    return ret;
    573+}
    574+
    575+int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
    576+  return secp256k1_ec_seckey_negate(ctx, seckey);
    


    real-or-random commented at 3:12 pm on March 30, 2020:
    nit: indentation

    jonasnick commented at 8:50 pm on March 30, 2020:
    fixed
  48. in src/secp256k1.c:613 in 08b28cbc04 outdated
    608@@ -605,6 +609,10 @@ int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *
    609     return ret;
    610 }
    611 
    612+int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
    613+  return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak);
    


    real-or-random commented at 3:14 pm on March 30, 2020:
    here too

    jonasnick commented at 8:51 pm on March 30, 2020:
    fixed
  49. in src/secp256k1.c:661 in 08b28cbc04 outdated
    656@@ -649,6 +657,10 @@ int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *
    657     return ret;
    658 }
    659 
    660+int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
    661+  return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak);
    


    real-or-random commented at 3:14 pm on March 30, 2020:
    same

    jonasnick commented at 8:51 pm on March 30, 2020:
    fixed
  50. real-or-random commented at 3:22 pm on March 30, 2020: contributor
    ACK except nits
  51. in include/secp256k1.h:621 in 08b28cbc04 outdated
    625- * In/Out:  seckey: pointer to a 32-byte private key.
    626- * In:      tweak:  pointer to a 32-byte tweak.
    627- */
    628+/** Tweak a secret key by adding tweak to it.
    629+ *
    630+ *  Returns: 0 if the arguments are invalid or resulting secret key would be
    


    real-or-random commented at 3:36 pm on March 30, 2020:
    0 *  Returns: 0 if the arguments are invalid or the resulting secret key would be
    

    jonasnick commented at 8:51 pm on March 30, 2020:
    fixed
  52. jonasnick force-pushed on Mar 30, 2020
  53. jonasnick force-pushed on Mar 30, 2020
  54. Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key 9ab2cbe0eb
  55. Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify 3fec982608
  56. Add test for boundary conditions of scalar_set_b32 with respect to overflows 8f814cddb9
  57. Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul 5894e1f1df
  58. Define valid ECDSA keys in the documentation of seckey_verify f03df0e6d7
  59. Mention that value is unspecified for In/Out parameters if the function returns 0 5a73f14d6c
  60. Rename private key to secret key in public API (with the exception of function names) 22911ee6da
  61. Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul 41fc785602
  62. Make tweak function documentation more consistent.
    Do this by adding a newline after the first sentence and aligning the rest.
    89853a0f2e
  63. Clarify documentation of tweak functions.
    In particular, mention that the functions return 0 if seckey or tweak are
    invalid (as opposed to saying "should" or "must" be valid).
    7e3952ae82
  64. jonasnick commented at 8:52 pm on March 30, 2020: contributor
    @apoelstra would you mind reACKing?
  65. real-or-random approved
  66. real-or-random commented at 9:18 am on March 31, 2020: contributor
    ACK 7e3952ae82af2a98619de74614f2d3f0ff072941 I read the diff carefully and tested the changes
  67. apoelstra approved
  68. apoelstra commented at 12:15 pm on April 30, 2020: contributor
    ACK 7e3952ae82af2a98619de74614f2d3f0ff072941
  69. real-or-random merged this on Apr 30, 2020
  70. real-or-random closed this on Apr 30, 2020

  71. elichai cross-referenced this on May 4, 2020 from issue Should passing invalid recid to sig parsing call the callback? by elichai
  72. elichai cross-referenced this on May 13, 2020 from issue Bump libsecp256k1 by elichai
  73. sipa cross-referenced this on Jun 9, 2020 from issue Update libsecp256k1 subtree by sipa
  74. fanquake referenced this in commit 8c97780db8 on Jun 13, 2020
  75. sidhujag referenced this in commit 8a3a072968 on Jun 13, 2020
  76. ComputerCraftr referenced this in commit b98f1c6e6c on Jun 16, 2020
  77. real-or-random referenced this in commit 6539af36c3 on Jul 29, 2020
  78. real-or-random referenced this in commit d08aa3f0dc on Jul 29, 2020
  79. real-or-random cross-referenced this on Jul 29, 2020 from issue Remove lax DER parsing functions from contrib by real-or-random
  80. jasonbcox referenced this in commit 83cc25fe22 on Sep 27, 2020
  81. deadalnix referenced this in commit a745ffe8ae on Sep 28, 2020
  82. UdjinM6 referenced this in commit 9d36ba6570 on Aug 10, 2021
  83. 5tefan referenced this in commit 8ded2caa74 on Aug 12, 2021
  84. gades referenced this in commit d855cc511d on May 8, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-22 10:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me