72ae443 Improve perf. of cmov-based table lookup (Peter Dettman)
92e53fc Implement endomorphism optimization for secp256k1_ecmult_const (Andrew Poelstra)
ed35d43 Make `secp256k1_scalar_add_bit` conditional; make `secp256k1_scalar_split_lambda_var` constant time (Andrew Poelstra)
91c0ce9 Add benchmarks for ECDH and const-time multiplication (Andrew Poelstra)
0739bbb Add ECDH module which works by hashing the output of ecmult_const (Andrew Poelstra)
4401500 Add constant-time multiply `secp256k1_ecmult_const` for ECDH (Andrew Poelstra)
baa75da tests: add a couple tests (Andrew Poelstra)
This has the effect of making `secp256k1_scalar_mul_shift_var` constant
time in both input scalars. Keep the _var name because it is NOT constant
time in the shift amount.
As used in `secp256k1_scalar_split_lambda_var`, the shift is always
the constant 272, so this function becomes constant time, and it
loses the `_var` suffix.
Designed with clear separation of the wNAF conversion, precomputation
and exponentiation (since the precomp at least we will probably want
to separate in the API for users who reuse points a lot.
Future work:
- actually separate precomp in the API
- do multiexp rather than single exponentiation
- Add zero/one sanity check tests for ecmult
- Add unit test for secp256k1_scalar_split_lambda_var
- Typo fix in `ge_equals_ge`; was comparing b->y to itself, should
have been comparing a->y to b->y
- Normalize y-coordinate in `random_group_element_test`; this is
needed to pass random group elements as the first argument to
`ge_equals_ge`, which I will do in a future commit.
18c329c Remove the internal secp256k1_ecdsa_sig_t type (Pieter Wuille)
74a2acd Add a secp256k1_ecdsa_signature_t type (Pieter Wuille)
23cfa91 Introduce secp256k1_pubkey_t type (Pieter Wuille)
Gen_context was unable to find the required headers without some
autotools fixups. Make dist was also broken without the extra
sources for the host side table builder utility.
This vastly shrinks the size of the context required for signing on devices with
memory-mapped Flash.
Tables are generated by the new gen_context tool into a header.
5a43124 Save 1 _fe_negate since s1 == -s2 (Peter Dettman)
a5d796e Update code comments (Peter Dettman)
7d054cd Refactor to save a _fe_negate (Peter Dettman)
b28d02a Refactor to remove a local var (Peter Dettman)
55e7fc3 Perf. improvement in _gej_add_ge (Peter Dettman)
7657420 Add tests for adding P+Q with P.x!=Q.x and P.y=-Q.y (Pieter Wuille)
8c5d5f7 tests: Add failing unit test for #257 (bad addition formula) (Andrew Poelstra)
5de4c5d gej_add_ge: fix degenerate case when computing P + (-lambda)P (Andrew Poelstra)
bcf2fcf gej_add_ge: rearrange algebra (Andrew Poelstra)
If two points (x1, y1) and (x2, y2) are given to gej_add_ge with
x1 != x2 but y1 = -y2, the function gives a wrong answer since
this causes it to compute "lambda = 0/0" during an intermediate
step. (Here lambda refers to an auxiallary variable in the point
addition formula, not the cube-root of 1 used by the endomorphism
optimization.)
This commit catches the 0/0 and replaces it with an alternate
expression for lambda, cmov'ing it in place if necessary.
