Squashed 'src/secp256k1/' changes from 533571d6cf..bfeae121fb

bfeae121fb Merge BlockstreamResearch/secp256k1-zkp#255: musig: change test vector generation code shebang from python to python3
ea478beec6 musig: change test vector generation code shebang from python to python3
53bc63f9f9 Merge BlockstreamResearch/secp256k1-zkp#245: scalar: Remove unused secp256k1_scalar_chacha20
860360eed4 scalar: Remove unused secp256k1_scalar_chacha20
3970a7292a rangeproof: Use util functions for writing big endian
afe7e649ee Merge BlockstreamResearch/secp256k1-zkp#248: bppp: Fix and improve test for invalid sign byte
1a6d93f8b6 Merge BlockstreamResearch/secp256k1-zkp#250: ci: Always define EXPERIMENTAL variable
3372993060 bppp: Fix test for invalid sign byte
7e9193666f ci: Always define EXPERIMENTAL variable
58e27bc2d2 Merge BlockstreamResearch/secp256k1-zkp#244: sync-upstream.sh: Add "git show --remerge-diff" tip
0a99156871 sync-upstream.sh: Add "git show --remerge-diff" tip
30fc9d6551 Merge BlockstreamResearch/secp256k1-zkp#242: sync-upstream.sh: Fix position of "-b" option in reproduce command
9b6a1c384d sync-upstream.sh: Fix position of "-b" option in reproduce command

git-subtree-dir: src/secp256k1
git-subtree-split: bfeae121fb0e8dd88af33390b1e163feca067bfd

Author: delta1

.cirrus.yml

@@ -14,6 +14,7 @@ env:
   WITH_VALGRIND: yes
   EXTRAFLAGS:
   ### secp256k1 modules
+  EXPERIMENTAL: no
   ECDH: no
   RECOVERY: no
   SCHNORRSIG: no

contrib/musig2-vectors.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 import sys
 import json

contrib/sync-upstream.sh

@@ -79,13 +79,13 @@ case $1 in
         shift
         setup
         range "$@"
-        REPRODUCE_COMMAND="$0 range -b $LOCAL_BRANCH $RANGEEND_COMMIT"
+        REPRODUCE_COMMAND="$0 -b $LOCAL_BRANCH range $RANGEEND_COMMIT"
         ;;
     select)
         shift
         setup
         COMMITS=$*
-        REPRODUCE_COMMAND="$0 select -b $LOCAL_BRANCH $@"
+        REPRODUCE_COMMAND="$0 -b $LOCAL_BRANCH select $@"
         ;;
     help)
         help
@@ -104,8 +104,7 @@ do
 done
 # Remove trailing ","
 TITLE=${TITLE%?}
-
-BODY=$(printf "%s\n\n%s" "$BODY" "This PR can be recreated with \`$REPRODUCE_COMMAND\`.")
+BODY=$(printf "%s\n\n%s\n%s" "$BODY" "This PR can be recreated with \`$REPRODUCE_COMMAND\`." "Tip: Use \`git show --remerge-diff\` to show the changes manually added to the merge commit.")
 
 echo "-----------------------------------"
 echo "$TITLE"

src/modules/bppp/tests_impl.h

@@ -257,7 +257,11 @@ void test_serialize_two_points(void) {
         random_group_element_test(&X);
         random_group_element_test(&R);
         secp256k1_bppp_serialize_points(buf, &X, &R);
-        buf[0] |= 4 + (unsigned char)secp256k1_testrandi64(4, 255);
+
+        buf[0] = 4 + (unsigned char)secp256k1_testrandi64(0, 253);
+        /* Assert that buf[0] is actually invalid. */
+        CHECK(buf[0] != 0x02 && buf[0] != 0x03);
+
         CHECK(!secp256k1_bppp_parse_one_of_points(&X_tmp, buf, 0));
         CHECK(!secp256k1_bppp_parse_one_of_points(&R_tmp, buf, 0));
     }

src/modules/rangeproof/borromean_impl.h

@@ -20,24 +20,18 @@
 #include <limits.h>
 #include <string.h>
 
-#if defined(SECP256K1_BIG_ENDIAN)
-#define BE32(x) (x)
-#elif defined(SECP256K1_LITTLE_ENDIAN)
-#define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
-#endif
-
 SECP256K1_INLINE static void secp256k1_borromean_hash(unsigned char *hash, const unsigned char *m, size_t mlen, const unsigned char *e, size_t elen,
  size_t ridx, size_t eidx) {
-    uint32_t ring;
-    uint32_t epos;
+    unsigned char ring[4];
+    unsigned char epos[4];
     secp256k1_sha256 sha256_en;
     secp256k1_sha256_initialize(&sha256_en);
-    ring = BE32((uint32_t)ridx);
-    epos = BE32((uint32_t)eidx);
+    secp256k1_write_be32(ring, (uint32_t)ridx);
+    secp256k1_write_be32(epos, (uint32_t)eidx);
     secp256k1_sha256_write(&sha256_en, e, elen);
     secp256k1_sha256_write(&sha256_en, m, mlen);
-    secp256k1_sha256_write(&sha256_en, (unsigned char*)&ring, 4);
-    secp256k1_sha256_write(&sha256_en, (unsigned char*)&epos, 4);
+    secp256k1_sha256_write(&sha256_en, ring, 4);
+    secp256k1_sha256_write(&sha256_en, epos, 4);
     secp256k1_sha256_finalize(&sha256_en, hash);
 }
 

src/scalar.h

@@ -108,7 +108,4 @@ static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_
 /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
 static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag);
 
-/** Generate two scalars from a 32-byte seed and an integer using the chacha20 stream cipher */
-static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx);
-
 #endif /* SECP256K1_SCALAR_H */

src/scalar_4x64_impl.h

@@ -970,93 +970,6 @@ static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const se
     r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1);
 }
 
-#define ROTL32(x,n) ((x) << (n) | (x) >> (32-(n)))
-#define QUARTERROUND(a,b,c,d) \
-  a += b; d = ROTL32(d ^ a, 16); \
-  c += d; b = ROTL32(b ^ c, 12); \
-  a += b; d = ROTL32(d ^ a, 8); \
-  c += d; b = ROTL32(b ^ c, 7);
-
-#if defined(SECP256K1_BIG_ENDIAN)
-#define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
-#elif defined(SECP256K1_LITTLE_ENDIAN)
-#define LE32(p) (p)
-#endif
-
-static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx) {
-    size_t n;
-    size_t over_count = 0;
-    uint32_t seed32[8];
-    uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
-    int over1, over2;
-
-    memcpy((void *) seed32, (const void *) seed, 32);
-    do {
-        x0 = 0x61707865;
-        x1 = 0x3320646e;
-        x2 = 0x79622d32;
-        x3 = 0x6b206574;
-        x4 = LE32(seed32[0]);
-        x5 = LE32(seed32[1]);
-        x6 = LE32(seed32[2]);
-        x7 = LE32(seed32[3]);
-        x8 = LE32(seed32[4]);
-        x9 = LE32(seed32[5]);
-        x10 = LE32(seed32[6]);
-        x11 = LE32(seed32[7]);
-        x12 = idx;
-        x13 = idx >> 32;
-        x14 = 0;
-        x15 = over_count;
-
-        n = 10;
-        while (n--) {
-            QUARTERROUND(x0, x4, x8,x12)
-            QUARTERROUND(x1, x5, x9,x13)
-            QUARTERROUND(x2, x6,x10,x14)
-            QUARTERROUND(x3, x7,x11,x15)
-            QUARTERROUND(x0, x5,x10,x15)
-            QUARTERROUND(x1, x6,x11,x12)
-            QUARTERROUND(x2, x7, x8,x13)
-            QUARTERROUND(x3, x4, x9,x14)
-        }
-
-        x0 += 0x61707865;
-        x1 += 0x3320646e;
-        x2 += 0x79622d32;
-        x3 += 0x6b206574;
-        x4 += LE32(seed32[0]);
-        x5 += LE32(seed32[1]);
-        x6 += LE32(seed32[2]);
-        x7 += LE32(seed32[3]);
-        x8 += LE32(seed32[4]);
-        x9 += LE32(seed32[5]);
-        x10 += LE32(seed32[6]);
-        x11 += LE32(seed32[7]);
-        x12 += idx;
-        x13 += idx >> 32;
-        x14 += 0;
-        x15 += over_count;
-
-        r1->d[3] = (((uint64_t)  x0) << 32) | x1;
-        r1->d[2] = (((uint64_t)  x2) << 32) | x3;
-        r1->d[1] = (((uint64_t)  x4) << 32) | x5;
-        r1->d[0] = (((uint64_t)  x6) << 32) | x7;
-        r2->d[3] = (((uint64_t)  x8) << 32) | x9;
-        r2->d[2] = (((uint64_t) x10) << 32) | x11;
-        r2->d[1] = (((uint64_t) x12) << 32) | x13;
-        r2->d[0] = (((uint64_t) x14) << 32) | x15;
-
-        over1 = secp256k1_scalar_check_overflow(r1);
-        over2 = secp256k1_scalar_check_overflow(r2);
-        over_count++;
-   } while (over1 | over2);
-}
-
-#undef ROTL32
-#undef QUARTERROUND
-#undef LE32
-
 static void secp256k1_scalar_from_signed62(secp256k1_scalar *r, const secp256k1_modinv64_signed62 *a) {
     const uint64_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4];
 

src/scalar_8x32_impl.h

@@ -749,101 +749,6 @@ static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const se
     r->d[7] = (r->d[7] & mask0) | (a->d[7] & mask1);
 }
 
-#define ROTL32(x,n) ((x) << (n) | (x) >> (32-(n)))
-#define QUARTERROUND(a,b,c,d) \
-  a += b; d = ROTL32(d ^ a, 16); \
-  c += d; b = ROTL32(b ^ c, 12); \
-  a += b; d = ROTL32(d ^ a, 8); \
-  c += d; b = ROTL32(b ^ c, 7);
-
-#if defined(SECP256K1_BIG_ENDIAN)
-#define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
-#elif defined(SECP256K1_LITTLE_ENDIAN)
-#define LE32(p) (p)
-#endif
-
-static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx) {
-    size_t n;
-    size_t over_count = 0;
-    uint32_t seed32[8];
-    uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
-    int over1, over2;
-
-    memcpy((void *) seed32, (const void *) seed, 32);
-    do {
-        x0 = 0x61707865;
-        x1 = 0x3320646e;
-        x2 = 0x79622d32;
-        x3 = 0x6b206574;
-        x4 = LE32(seed32[0]);
-        x5 = LE32(seed32[1]);
-        x6 = LE32(seed32[2]);
-        x7 = LE32(seed32[3]);
-        x8 = LE32(seed32[4]);
-        x9 = LE32(seed32[5]);
-        x10 = LE32(seed32[6]);
-        x11 = LE32(seed32[7]);
-        x12 = idx;
-        x13 = idx >> 32;
-        x14 = 0;
-        x15 = over_count;
-
-        n = 10;
-        while (n--) {
-            QUARTERROUND(x0, x4, x8,x12)
-            QUARTERROUND(x1, x5, x9,x13)
-            QUARTERROUND(x2, x6,x10,x14)
-            QUARTERROUND(x3, x7,x11,x15)
-            QUARTERROUND(x0, x5,x10,x15)
-            QUARTERROUND(x1, x6,x11,x12)
-            QUARTERROUND(x2, x7, x8,x13)
-            QUARTERROUND(x3, x4, x9,x14)
-        }
-
-        x0 += 0x61707865;
-        x1 += 0x3320646e;
-        x2 += 0x79622d32;
-        x3 += 0x6b206574;
-        x4 += LE32(seed32[0]);
-        x5 += LE32(seed32[1]);
-        x6 += LE32(seed32[2]);
-        x7 += LE32(seed32[3]);
-        x8 += LE32(seed32[4]);
-        x9 += LE32(seed32[5]);
-        x10 += LE32(seed32[6]);
-        x11 += LE32(seed32[7]);
-        x12 += idx;
-        x13 += idx >> 32;
-        x14 += 0;
-        x15 += over_count;
-
-        r1->d[7] = x0;
-        r1->d[6] = x1;
-        r1->d[5] = x2;
-        r1->d[4] = x3;
-        r1->d[3] = x4;
-        r1->d[2] = x5;
-        r1->d[1] = x6;
-        r1->d[0] = x7;
-        r2->d[7] = x8;
-        r2->d[6] = x9;
-        r2->d[5] = x10;
-        r2->d[4] = x11;
-        r2->d[3] = x12;
-        r2->d[2] = x13;
-        r2->d[1] = x14;
-        r2->d[0] = x15;
-
-        over1 = secp256k1_scalar_check_overflow(r1);
-        over2 = secp256k1_scalar_check_overflow(r2);
-        over_count++;
-   } while (over1 | over2);
-}
-
-#undef ROTL32
-#undef QUARTERROUND
-#undef LE32
-
 static void secp256k1_scalar_from_signed30(secp256k1_scalar *r, const secp256k1_modinv32_signed30 *a) {
     const uint32_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4],
                    a5 = a->v[5], a6 = a->v[6], a7 = a->v[7], a8 = a->v[8];

src/scalar_low_impl.h

@@ -127,11 +127,6 @@ static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const se
     *r = (*r & mask0) | (*a & mask1);
 }
 
-SECP256K1_INLINE static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t n) {
-    *r1 = (seed[0] + n) % EXHAUSTIVE_TEST_ORDER;
-    *r2 = (seed[1] + n) % EXHAUSTIVE_TEST_ORDER;
-}
-
 static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *x) {
     int i;
     *r = 0;