Make ec_ arithmetic more consistent and add documentation

jonasnick commented at 5:29 pm on December 17, 2019: contributor

Fixes #671. Supersedes #668.

This PR unifies handling of invalid secret keys by introducing a new function scalar_set_b32_secret which returns false if the b32 overflows or is 0. By using this in privkey_{negate, tweak_add, tweak_mul} these function will now return 0 if the secret key is invalid which matches the behavior of ecdsa_sign and pubkey_create.

Instead of deciding whether to zeroize the secret key on failure, I only added documentation for now that the value is undefined on failure.

jonasnick cross-referenced this on Dec 17, 2019 from issue Return 0 if invalid seckey is given to ec_privkey_negate by jonasnick

in src/tests.c:1156 in 51425ee06b outdated

1148+        /* A scalar with value of the curve order minus one should not overflow. */
1149+        bin[31] -= 1;
1150+        secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1151+        CHECK(overflow == 0);
1152+        secp256k1_scalar_get_b32(bin_tmp, &scalar);
1153+        CHECK(memcmp(bin, bin_tmp, 32) == 0);

real-or-random commented at 10:51 am on December 18, 2019:

The test is correct but I wonder why this roundtrip test is there for this special value and only for this one. Was there was anything particular you had in mind here?

jonasnick commented at 2:01 pm on December 19, 2019:

It’s probably the only roundtrip because it’s the only one which doesn’t overlow and which can not be easily tested with scalar_is_zero.

in include/secp256k1.h:607 in 27b9dbfdf8 outdated

601@@ -599,9 +602,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
602 
603 /** Tweak a private key by adding tweak to it.
604  * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
605- *          uniformly random 32-byte arrays, or if the resulting private key
606- *          would be invalid (only when the tweak is the complement of the
607- *          private key). 1 otherwise.
608+ *          uniformly random 32-byte arrays, or if the given private key is
609+ *          invalid according to secp256k1_ec_seckey_verify, or if the resulting
610+ *          private key would be invalid (only when the tweak is the complement

real-or-random commented at 11:15 am on December 18, 2019:

Maybe “negated private key” instead of “complement”?

Is this really the only case? What about overflows?

real-or-random commented at 11:17 am on December 18, 2019:

This should also document what the valid range for a tweak is? (I guess every scalar?)

apoelstra commented at 11:14 pm on January 24, 2020:

Also, missing an ) after “32-byte arrays”. (This was a preexisting problem but we should fix it now.)

jonasnick commented at 4:18 pm on January 25, 2020:

@apoelstra should be fixed in the latest commit.

in include/secp256k1.h:623 in 27b9dbfdf8 outdated

617@@ -614,9 +618,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
618 
619 /** Tweak a public key by adding tweak times the generator to it.
620  * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
621- *          uniformly random 32-byte arrays, or if the resulting public key
622- *          would be invalid (only when the tweak is the complement of the
623- *          corresponding private key). 1 otherwise.
624+ *          uniformly random 32-byte arrays, or if the given private key is
625+ *          invalid according to secp256k1_ec_seckey_verify, or if the resulting
626+ *          public key would be invalid (only when the tweak is the complement

real-or-random commented at 11:15 am on December 18, 2019:

same here

apoelstra commented at 11:15 pm on January 24, 2020:

same ) issue here

in src/secp256k1.c:529 in 27b9dbfdf8 outdated

525@@ -526,7 +526,9 @@ int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *sec
526     VERIFY_CHECK(ctx != NULL);
527     ARG_CHECK(seckey != NULL);
528 
529-    secp256k1_scalar_set_b32(&sec, seckey, NULL);
530+    if(!secp256k1_scalar_set_b32_seckey(&sec, seckey)) {

real-or-random commented at 11:16 am on December 18, 2019:

nit: spacing

jonasnick commented at 1:54 pm on December 19, 2019:

fixed

in include/secp256k1.h:588 in 7cfb1fe492 outdated

583@@ -584,7 +584,8 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(
584  *           secp256k1_ec_seckey_verify. 1 otherwise
585  *  Args:   ctx:        pointer to a context object
586  *  In/Out: seckey:     pointer to the 32-byte private key to be negated. The private
587- *                      key should be valid according to secp256k1_ec_seckey_verify
588+ *                      key should be valid according to secp256k1_ec_seckey_verify.
589+ *                      Value becomes undefined if this function returns 0.

real-or-random commented at 11:21 am on December 18, 2019:

Can we say “unspecified”? “Undefined” comes with that weird terrifying sound of undefined behavior.

real-or-random commented at 11:22 am on December 18, 2019: contributor

Nice! Looks good except nits.

jonasnick force-pushed on Dec 19, 2019

jonasnick commented at 1:56 pm on December 19, 2019: contributor

@real-or-random I added a commit that rephrases the docs. Let me know if you think that’s better.

(Also, I replaced secp256k1_rand256_test with secp256k1_rand256 because the former is apparently not random, may produce invalid seckeys and travis randomly hit that in one of the test configurations).

jonasnick force-pushed on Jan 5, 2020

jonasnick commented at 12:45 pm on January 5, 2020: contributor

Removed the (attempted) constant time AND in set_b32_seckey as per @sipa’s suggestion

real-or-random commented at 1:01 pm on January 6, 2020: contributor

Is there a reason to believe that this will break downstream code (because it changes the API)?

in include/secp256k1.h:669 in c2445648ce outdated

682+ * In/Out: seckey: pointer to a 32-byte secret key. If this function returns 0,
683+ *                 seckey will be some unspecified value. (cannot be NULL).
684+ * In:     tweak:  pointer to a 32-byte tweak. Must be in the same range as secret
685+ *                 keys (see secp256k1_ec_seckey_verify). For uniformly random
686+ *                 32-byte arrays the chance of being out of range is
687+ *                 negligible (around 1 in 2^128). (cannot be NULL)

dr-orlovsky commented at 0:07 am on January 11, 2020:

while the changes are negligible, if one is aimed to write a deterministic code (like in the case of rust wrapper), it may be good to cover this case as well.

It is possible to add to the docs that in case tweak<Z_p, the function will return 0? Also, do you see any value of differentiating between tweak<Z_p and point at infinity cases? Right now both will return 0, but from the end-user perspective the first case requires change of the tweaking factor, while the second may be solved just by using a different public key…

real-or-random commented at 10:57 am on January 11, 2020:

while the changes are negligible, if one is aimed to write a deterministic code (like in the case of rust wrapper), it may be good to cover this case as well.

Believe me, you don’t care about a failure probability of 2^-128. It’s astronomically small. It’s much smaller than the probability of a hardware error (e.g., RAM returns wrong value). You can simply abort in this case.

in src/tests.c:4002 in 878fe77b9e outdated

3993@@ -3994,6 +3994,16 @@ void run_eckey_edge_case_test(void) {
3994     CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3995     CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3996     memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3997+    /* Overflowing key zeroizes */
3998+    memcpy(ctmp, orderc, 32);
3999+    memset(ctmp2, 0, 32);
4000+    ctmp2[31] = 0x01;
4001+    CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4002+    CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 0);

apoelstra commented at 11:19 pm on January 24, 2020:

Can you add a check with ctmp and ctmp2 swapped? Or maybe there is little value in this since both of these are invalid.

jonasnick commented at 4:51 pm on January 25, 2020:

Are you suggesting to test this function with an overflowing tweak? That should happen a couple of lines below. I pushed a commit to make the comments more clear.

apoelstra approved

apoelstra commented at 0:20 am on January 25, 2020: contributor

ack except nits

gmaxwell commented at 2:55 am on January 25, 2020: contributor

@jonasnick the _test rng’s are biased intentionally to hit corner cases and it worked perfectly there if it detected that your scalar generation was generating an invalid scalar. Maybe you want random_scalar_order_test or random_scalar_order instead? It’s better to make the tests not fail even with rare values because they can also be moved over to smaller groups where the failures would be common.

jonasnick commented at 4:54 pm on January 25, 2020: contributor

@gmaxwell Thanks, random_scalar_order is almost what I was looking for and agree that it’s better than rand256. I added a function similar to random_scalar_order but returning a byte array.

real-or-random commented at 1:59 pm on January 27, 2020: contributor

Can you squash this?

jonasnick force-pushed on Jan 27, 2020

real-or-random cross-referenced this on Feb 3, 2020 from issue Eliminate harmless non-constant time operations on secret data. by gmaxwell

jonasnick force-pushed on Feb 7, 2020

jonasnick force-pushed on Mar 7, 2020

jonasnick commented at 9:47 pm on March 7, 2020: contributor

Rebasing required a bit of thought due to #710. Please have a look.

jonasnick force-pushed on Mar 12, 2020

jonasnick commented at 10:53 pm on March 12, 2020: contributor

I improved ecdsa_sign’s uses of secp256k1_scalar_set_b32_seckey a little bit.

in include/secp256k1.h:554 in bcd79c0d4c outdated

550@@ -551,7 +551,10 @@ SECP256K1_API int secp256k1_ecdsa_sign(
551     const void *ndata
552 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
553 
554-/** Verify an ECDSA secret key.
555+/** Verify an ECDSA secret key. It is valid if it is not 0 and less than the

real-or-random commented at 6:43 am on March 13, 2020:

nit: usually we have a one-sentence description, then an empty line and then more text in our doc comments. (I admit it’s not consistent everywhere)

jonasnick commented at 2:15 pm on March 20, 2020:

fixed

in include/secp256k1.h:556 in bcd79c0d4c outdated

550@@ -551,7 +551,10 @@ SECP256K1_API int secp256k1_ecdsa_sign(
551     const void *ndata
552 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
553 
554-/** Verify an ECDSA secret key.
555+/** Verify an ECDSA secret key. It is valid if it is not 0 and less than the
556+ *  secp256k1 curve order when interpreted as an integer (most significant byte
557+ *  first). The probability of choosing a 32-byte string at random which is an

real-or-random commented at 6:46 am on March 13, 2020:

maybe “uniformly” (if only for consistency with the other functions)

jonasnick commented at 2:15 pm on March 20, 2020:

fixed

in include/secp256k1.h:627 in bcd79c0d4c outdated

630+ *                  function returns 0, seckey will be some unspecified
631+ *                  value. (cannot be NULL)
632+ * In:       tweak: pointer to a 32-byte tweak. Must be in the same range as secret
633+ *                  keys (see secp256k1_ec_seckey_verify). For uniformly random
634+ *                  32-byte arrays the chance of being out of range is
635+ *                  negligible (around 1 in 2^128). (cannot be NULL)

real-or-random commented at 6:48 am on March 13, 2020:

related to line 617: Is it really the tweak that must be in range or the resulting secret key? I think both?

jonasnick commented at 2:16 pm on March 20, 2020:

I don’t understand what you’re suggesting. Yes, the tweak must be in range. The resulting seckey will be in range if the tweak is not the negation of the seckey.

in include/secp256k1.h:653 in bcd79c0d4c outdated

662+ * In/Out:  pubkey: pointer to a public key object. If this function returns 0,
663+ *                  pubkey will be invalid. (cannot be NULL).
664+ * In:      tweak:  pointer to a 32-byte tweak. Must be in the same range as secret
665+ *                  keys (see secp256k1_ec_seckey_verify). For uniformly random
666+ *                  32-byte arrays the chance of being out of range is
667+ *                  negligible (around 1 in 2^128). (cannot be NULL)

real-or-random commented at 6:48 am on March 13, 2020:

same as above

in src/secp256k1.c:474 in bcd79c0d4c outdated

470@@ -471,7 +471,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
471     secp256k1_scalar r, s;
472     secp256k1_scalar sec, non, msg;
473     int ret = 0;
474-    int overflow = 0;
475+    int is_sec_valid;

real-or-random commented at 6:53 am on March 13, 2020:

Neat! This really improves the logic in the signing function.

Now actually with the duplicate code, we should do this in the recover module as well… Not sure in which order to perform the changes. :/ Do you have a suggestion?

jonasnick commented at 2:16 pm on March 20, 2020:

Afaics it’s just wasted work if we fix the duplicated recovery code. Better to make recovery use the common code in a separate PR (right after this one).

in src/tests.c:4004 in bcd79c0d4c outdated

4002     CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4003     CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4004     memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4005-    /* Overflowing key tweak zeroizes. */
4006+    /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4007+    seckey, the seckey is zeroized. */

real-or-random commented at 7:00 am on March 13, 2020:

Here they’re not called with an overflowing seckey but the resulting seckey would overflow.

jonasnick commented at 2:16 pm on March 20, 2020:

No, seckey is equal to orderc which is overflowing. Added CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);

in src/scalar_impl.h:61 in bcd79c0d4c outdated

54@@ -55,6 +55,12 @@ static void secp256k1_scalar_order_get_num(secp256k1_num *r) {
55 }
56 #endif
57 
58+static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin) {
59+  int overflow;
60+  secp256k1_scalar_set_b32(r, bin, &overflow);
61+  return (!overflow) & (!secp256k1_scalar_is_zero(r));

real-or-random commented at 7:11 am on March 13, 2020:

nit: indentation I only point it out here but it’s wrong in many functions you added.

jonasnick commented at 2:16 pm on March 20, 2020:

Ugh, fixed, but only saw this in one other function (run_scalar_set_b32_seckey_tests)

in include/secp256k1.h:602 in bcd79c0d4c outdated

598+    const secp256k1_context* ctx,
599+    unsigned char *seckey
600+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
601+
602+/** Same as secp256k1_ec_seckey_negate, but DEPRECATED. Will be removed in
603+ *  future versions. */

real-or-random commented at 7:16 am on March 13, 2020:

Can you change the calls in the codebase to the seckey variants? For example https://github.com/bitcoin-core/secp256k1/blob/master/src/valgrind_ctime_test.c#L76

jonasnick commented at 2:16 pm on March 20, 2020:

Done

in include/secp256k1.h:619 in bcd79c0d4c outdated

612@@ -599,57 +613,85 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
613     secp256k1_pubkey *pubkey
614 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
615 
616-/** Tweak a private key by adding tweak to it.
617- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
618- *          uniformly random 32-byte arrays, or if the resulting private key
619- *          would be invalid (only when the tweak is the complement of the
620- *          private key). 1 otherwise.
621+/** Tweak a secret key by adding tweak to it.

real-or-random commented at 7:19 am on March 13, 2020:

nit: Now that you’re rewriting those, can you add an empty line here? (same for the other tweak functions)

jonasnick commented at 2:17 pm on March 20, 2020:

Done

in src/eckey_impl.h:60 in bcd79c0d4c outdated

53@@ -54,10 +54,7 @@ static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *p
54 
55 static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak) {
56     secp256k1_scalar_add(key, key, tweak);
57-    if (secp256k1_scalar_is_zero(key)) {
58-        return 0;
59-    }
60-    return 1;

real-or-random commented at 7:24 am on March 13, 2020:

Huh, shouldn’t this have been caught by the new constant time test?

jonasnick commented at 2:17 pm on March 20, 2020:

Presumably the compiler optimized away the branching

in include/secp256k1.h:645 in bcd79c0d4c outdated

652- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
653- *          uniformly random 32-byte arrays, or if the resulting public key
654- *          would be invalid (only when the tweak is the complement of the
655- *          corresponding private key). 1 otherwise.
656+ * Returns: 0 if the resulting public key would be invalid (only when the tweak
657+ *          is the negation of the corresponding secret key). 1 otherwise.

real-or-random commented at 7:36 am on March 13, 2020:

What if the tweak itself is out of range?

jonasnick commented at 2:17 pm on March 20, 2020:

Added a commit to clarify

in include/secp256k1.h:589 in bcd79c0d4c outdated

588+ *  Returns: 0 if the given secret key is invalid according to
589+ *           secp256k1_ec_seckey_verify. 1 otherwise
590  *  Args:   ctx:        pointer to a context object
591- *  In/Out: seckey:     pointer to the 32-byte private key to be negated (cannot be NULL)
592+ *  In/Out: seckey:     pointer to the 32-byte secret key to be negated. The secret
593+ *                      key should be valid according to secp256k1_ec_seckey_verify.

real-or-random commented at 7:40 am on March 13, 2020:

nit: “should” is somewhat imprecise. suggestion: “If the secret key is invalid according to secp256k1_ec_seckey_verify, this function returns 0 and seckey will be set to some unspecified value.”

jonasnick commented at 2:17 pm on March 20, 2020:

fixed in separate commit

in include/secp256k1.h:620 in bcd79c0d4c outdated

623+ *          is the negation of the secret key). 1 otherwise.
624  * Args:    ctx:    pointer to a context object (cannot be NULL).
625- * In/Out:  seckey: pointer to a 32-byte private key.
626- * In:      tweak:  pointer to a 32-byte tweak.
627- */
628+ * In/Out:  seckey: pointer to a 32-byte secret key. The secret key should be

real-or-random commented at 7:41 am on March 13, 2020:

same as above

jonasnick commented at 2:17 pm on March 20, 2020:

fixed

in include/secp256k1.h:617 in bcd79c0d4c outdated

617- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
618- *          uniformly random 32-byte arrays, or if the resulting private key
619- *          would be invalid (only when the tweak is the complement of the
620- *          private key). 1 otherwise.
621+/** Tweak a secret key by adding tweak to it.
622+ * Returns: 0 if the resulting secret key would be invalid (only when the tweak

real-or-random commented at 7:41 am on March 13, 2020:

What if the tweak itself is out of range?

jonasnick commented at 2:18 pm on March 20, 2020:

fixed

in include/secp256k1.h:624 in bcd79c0d4c outdated

627- */
628+ * In/Out:  seckey: pointer to a 32-byte secret key. The secret key should be
629+ *                  valid according to secp256k1_ec_seckey_verify. If this
630+ *                  function returns 0, seckey will be some unspecified
631+ *                  value. (cannot be NULL)
632+ * In:       tweak: pointer to a 32-byte tweak. Must be in the same range as secret

real-or-random commented at 7:43 am on March 13, 2020:

“must” is similar to “should” here. I guess it’s better to specify the consequences if it’s not in range, then the function will return 0.

jonasnick commented at 2:18 pm on March 20, 2020:

fixed

real-or-random commented at 7:50 am on March 13, 2020: contributor

Sorry for the many comments now, I probably could have pointed out some of those things earlier.

Since there are invalid tweaks, do we need a tweak_verify function?

jonasnick force-pushed on Mar 20, 2020

jonasnick cross-referenced this on Mar 23, 2020 from issue Make use of constant time ecdsa_sign code in ecdsa_sign_recoverable by jonasnick

in src/secp256k1.c:573 in 08b28cbc04 outdated

571-    return 1;
572+    return ret;
573+}
574+
575+int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
576+  return secp256k1_ec_seckey_negate(ctx, seckey);

real-or-random commented at 3:12 pm on March 30, 2020:

nit: indentation

jonasnick commented at 8:50 pm on March 30, 2020:

fixed

in src/secp256k1.c:613 in 08b28cbc04 outdated

608@@ -605,6 +609,10 @@ int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *
609     return ret;
610 }
611 
612+int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
613+  return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak);

real-or-random commented at 3:14 pm on March 30, 2020:

here too

jonasnick commented at 8:51 pm on March 30, 2020:

fixed

in src/secp256k1.c:661 in 08b28cbc04 outdated

656@@ -649,6 +657,10 @@ int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *
657     return ret;
658 }
659 
660+int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
661+  return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak);

real-or-random commented at 3:14 pm on March 30, 2020:

same

jonasnick commented at 8:51 pm on March 30, 2020:

fixed

real-or-random commented at 3:22 pm on March 30, 2020: contributor

ACK except nits

in include/secp256k1.h:621 in 08b28cbc04 outdated

625- * In/Out:  seckey: pointer to a 32-byte private key.
626- * In:      tweak:  pointer to a 32-byte tweak.
627- */
628+/** Tweak a secret key by adding tweak to it.
629+ *
630+ *  Returns: 0 if the arguments are invalid or resulting secret key would be

real-or-random commented at 3:36 pm on March 30, 2020:

0 *  Returns: 0 if the arguments are invalid or the resulting secret key would be

jonasnick commented at 8:51 pm on March 30, 2020:

fixed

jonasnick force-pushed on Mar 30, 2020

Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key 9ab2cbe0eb

Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify 3fec982608

Add test for boundary conditions of scalar_set_b32 with respect to overflows 8f814cddb9

Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul 5894e1f1df

Define valid ECDSA keys in the documentation of seckey_verify f03df0e6d7

Mention that value is unspecified for In/Out parameters if the function returns 0 5a73f14d6c

Rename private key to secret key in public API (with the exception of function names) 22911ee6da

Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul 41fc785602

Make tweak function documentation more consistent.

Do this by adding a newline after the first sentence and aligning the rest.

89853a0f2e

Clarify documentation of tweak functions.

In particular, mention that the functions return 0 if seckey or tweak are
invalid (as opposed to saying "should" or "must" be valid).

7e3952ae82

jonasnick commented at 8:52 pm on March 30, 2020: contributor

@apoelstra would you mind reACKing?

real-or-random approved

real-or-random commented at 9:18 am on March 31, 2020: contributor

ACK 7e3952ae82af2a98619de74614f2d3f0ff072941 I read the diff carefully and tested the changes

apoelstra approved

apoelstra commented at 12:15 pm on April 30, 2020: contributor

ACK 7e3952ae82af2a98619de74614f2d3f0ff072941

real-or-random merged this on Apr 30, 2020

real-or-random closed this on Apr 30, 2020

elichai cross-referenced this on May 4, 2020 from issue Should passing invalid recid to sig parsing call the callback? by elichai

elichai cross-referenced this on May 13, 2020 from issue Bump libsecp256k1 by elichai

sipa cross-referenced this on Jun 9, 2020 from issue Update libsecp256k1 subtree by sipa

fanquake referenced this in commit 8c97780db8 on Jun 13, 2020

sidhujag referenced this in commit 8a3a072968 on Jun 13, 2020

ComputerCraftr referenced this in commit b98f1c6e6c on Jun 16, 2020

real-or-random referenced this in commit 6539af36c3 on Jul 29, 2020

real-or-random referenced this in commit d08aa3f0dc on Jul 29, 2020

real-or-random cross-referenced this on Jul 29, 2020 from issue Remove lax DER parsing functions from contrib by real-or-random

jasonbcox referenced this in commit 83cc25fe22 on Sep 27, 2020

deadalnix referenced this in commit a745ffe8ae on Sep 28, 2020

UdjinM6 referenced this in commit 9d36ba6570 on Aug 10, 2021

5tefan referenced this in commit 8ded2caa74 on Aug 12, 2021

gades referenced this in commit d855cc511d on May 8, 2022

Make ec_ arithmetic more consistent and add documentation #701