Add secp256k1_pubkey_sort #1518
Conversation
|
Concept ACK. This is useful independently of MuSig and Silent Payments. Also for users with no standard library, e.g., on hardware wallets. cc @roconnor-blockstream who wrote most of this code Just out of curiosity, I checked what glibc actually does. They have Quicksort, Insertionsort, Mergesort, and Heapsort in their code base. If malloc fails, they'll always fall back to Heapsort. I think they had been using Quicksort and Mergesort for decades (perhaps selected depending on the platform?), but they changed their mind quite often lately, and this was indeed related to degenerate and adversarially constructed inputs:
This means that the current libc is probably fine. But old versions may be problematic, and other implementations of the standard library may also be problematic. If anything, all of this confirms that Heapsort is a good choice, and that we should not rely on the standard library here. |
There was a problem hiding this comment.
Concept ACK. This is particularly useful for the silent payments module in that we are able to hide a lot of complexity from the caller. In addition, I agree with Tim's assessment that this is a generally useful thing to have (not specific to Musig2/Silent payments).
Left a small nit regarding documentation but overall I found this pretty easy to work with as implemented when creating a custom cmp for silent payments.
jonasnick
changed the title
jonasnick
force-pushed
the
pubkey-sort
branch
2 times, most recently
from
d986553
to
4520d75
Compare
|
A wild idea: Needing to reimplement and maintaining highly efficient in place sorting every time is very sad About it being useful, I'll say that embedded rust still gives you sorting via libcore, and I think every embedded C toolkit has some sort of sorting utility, but I might be wrong on this |
Hm, I think this gives us the worst of both worlds in the end:
Also, I doubt that Shellsort or Bubblesort are much easier to implement than Heapsort. (And look at the nature of the bug I found: The swap was wrong, not the Heapsort itself. And you'll need a swap for every algorithm.)
Yeah, but that's because C is sad (sometimes). |
|
I'll echo @real-or-random 's point and add:
I think this is fine if the sorting step is a convenience, but in the case of the silent payments module sorting is a required step for generating the outputs correctly. For this, I think it's far better to have sorting handled inside the module vs requiring the user to sort before passing the public keys. Doing the sorting for the users eliminates a difficult to catch error and we'd need to sort anyways to be able to detect and alert the user that they did not sort (or sorted incorrectly). |
| { | ||
| int32_t ecount = 0; | ||
| secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount); | ||
| CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1); | ||
| CHECK(ecount == 2); | ||
| secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||
| } |
There was a problem hiding this comment.
Not exactly this PR, but do you think it's worth noting in the API docs that callbacks may be triggered more than once per API call? This may be interesting in the case of the illegal callback because you wouldn't need to crash necessarily for this type of callback (e.g., thinking of python bindings that could choose to raise). If yes, we could track this separately.
There was a problem hiding this comment.
Hm good point. But if we think that calling the callback multiple times causes problems, it may makes more sense to fix/change that because it's unlikely someone will read this and take it into account.
For the error callback the documentation says "After this callback returns, anything may happen, including crashing." and for the illegal callback "When this callback is triggered, the API function called is guaranteed not to cause a crash, though its return value and output arguments are undefined."
There was a problem hiding this comment.
But if we think that calling the callback multiple times causes problems, it may makes more sense to fix/change that because it's unlikely someone will read this and take it into account.
Let's maybe track this in a separate issue. It's certainly not great to call the callback twice, but last time when I tried to "fix" it, I wasn't happy with the added code complexity.
|
I added a description of the interface to the hsort doc. Apparently mac OS uses a different order of arguments. |
src/tests.c
Outdated
| secp256k1_hsort(elements, 1, element_len, test_hsort_cmp, &data); | ||
| CHECK(data.counter == 0); | ||
| secp256k1_hsort(elements, NUM, element_len, test_hsort_cmp, &data); | ||
| CHECK(data.counter >= NUM); |
There was a problem hiding this comment.
Not entirely sure what we are trying to do with this check, but if we are thinking of hsort as a black box sorting function, the minimum number of comparisons is NUM-1 (min 0).
If we are thinking of hsort as a white box heap sort, then the minimum number of comparisons is larger, on the order of (3/2 n) or so. We can probably figure it out if that's your intention.
You can test that a list is sorted in O(n) time, but sorting (by comparisons) take O(n log n) time That said, I do agree that we should just sort ourselves, in O(n log n) worst case time, with constant memory overhead. |
|
Rebased on master and added change log entry. |
Co-authored-by: Tim Ruffing <crypto@timruffing.de> Co-authored-by: Russell O'Connor <roconnor@blockstream.io>
| static int secp256k1_ec_pubkey_sort_cmp(const void* pk1, const void* pk2, void *ctx) { | ||
| return secp256k1_ec_pubkey_cmp((secp256k1_context *)ctx, | ||
| *(secp256k1_pubkey **)pk1, | ||
| *(secp256k1_pubkey **)pk2); |
There was a problem hiding this comment.
In #1519, I initially created a secp256k1_silentpayments_recipient_sort_cmp function using (secp256k1_silentpayments_recipient *)r->scan_pubkey instead of *(secp256k1_silentpayments_recipient **)r->scan_pubkey. Everything compiled fine, but the end result was my array was not sorted correctly. Took me awhile to figure out that it was due to using (typedef *) instead of *(typedef **).
This could just be a me problem in not having a strong C background, but wanted to mention it in case its worth documenting.
There was a problem hiding this comment.
Hm, this is documented. The hsort doc says "comparison function is called with two arguments that point to the objects being compared" (which was copied from the qsort_r manpage). If the array you give to hsort consists of elements of type secp256k1_silentpayments_recipient *, the comparison function is called with pointers to the elements (secp256k1_silentpayments_recipient **).
There was a problem hiding this comment.
I guess seeing stuff like *(secp256k1_pubkey **)pk1 can be confusing even to seasoned C programmers at first glance, due to the asterisk being used for two related but different things here (first as a dereference operator and then in the cast for indicating a pointer type). But yeah, I don't think we can do anything to improve this.
There was a problem hiding this comment.
should this be *(const secp256k1_pubkey * const *)pk1 or something?
|
ACK 7d2591c |
| /* Suppress wrong warning (fixed in MSVC 19.33) */ | ||
| #if defined(_MSC_VER) && (_MSC_VER < 1933) | ||
| #pragma warning(push) | ||
| #pragma warning(disable: 4090) | ||
| #endif | ||
|
|
||
| /* Casting away const is fine because neither secp256k1_hsort nor | ||
| * secp256k1_ec_pubkey_sort_cmp modify the data pointed to by the cmp_data | ||
| * argument. */ | ||
| secp256k1_hsort(pubkeys, n_pubkeys, sizeof(*pubkeys), secp256k1_ec_pubkey_sort_cmp, (void *)ctx); | ||
|
|
||
| #if defined(_MSC_VER) && (_MSC_VER < 1933) | ||
| #pragma warning(pop) | ||
| #endif |
There was a problem hiding this comment.
I verified that the pragmas are still necessary now that the call to secp256k1_hsort was changed. See https://godbolt.org/z/13MY3acP1 .
e3a885d Merge bitcoin-core/secp256k1#1522: release: prepare for 0.5.0 c0e4ec3 release: prepare for 0.5.0 bb528cf Merge bitcoin-core/secp256k1#1518: Add secp256k1_pubkey_sort 7d2591c Add secp256k1_pubkey_sort da51507 Merge bitcoin-core/secp256k1#1058: Signed-digit multi-comb ecmult_gen algorithm 4c341f8 Add changelog entry for SDMC a043940 Permit COMB_BITS < 256 for exhaustive tests 39b2f2a Add test case for ecmult_gen recoded = {-1,0,1} 644e86d Reintroduce projective blinding 07810d9 Reduce side channels from single-bit reads a0d32b5 Optimization: use Nx32 representation for recoded bits e03dcc4 Make secp256k1_scalar_get_bits support 32-bit reads 5005abe Rename scalar_get_bits -> scalar_get_bits_limb32; return uint32_t 6247f48 Optimization: avoid unnecessary doublings in precomputation 15d0cca Optimization: first table lookup needs no point addition 7a33db3 Optimization: move (2^COMB_BITS-1)/2 term into ctx->scalar_offset ed2a056 Provide 3 configurations accessible through ./configure 5f7be9f Always generate tables for current (blocks,teeth) config fde1dfc Signed-digit multi-comb ecmult_gen algorithm 486518b Make exhaustive tests's scalar_inverse(&x,&x) work ab45c3e Initial gej blinding -> final ge blinding aa00a6b Introduce CEIL_DIV macro and use it d831168 Merge bitcoin-core/secp256k1#1515: ci: Note affected clangs in comment on ASLR quirk a85e223 ci: Note affected clangs in comment on ASLR quirk 4b77fec Merge bitcoin-core/secp256k1#1512: msan: notate more variable assignments from assembly code f7f0184 msan: notate more variable assignments from assembly code a613391 change inconsistent array param to pointer 05bfab6 Merge bitcoin-core/secp256k1#1507: ci: Add workaround for ASLR bug in sanitizers a5e8ab2 ci: Add sanitizer env variables to debug output 84a93de ci: Add workaround for ASLR bug in sanitizers 427e86b Merge bitcoin-core/secp256k1#1490: tests: improve fe_sqr test (issue #1472) 2028069 doc: clarify input requirements for secp256k1_fe_mul 11420a7 tests: improve fe_sqr test cdc9a62 Merge bitcoin-core/secp256k1#1489: tests: add missing fe comparison checks for inverse field test cases d926510 Merge bitcoin-core/secp256k1#1496: msan: notate variable assignments from assembly code 31ba404 msan: notate variable assignments from assembly code e7ea32e msan: Add SECP256K1_CHECKMEM_MSAN_DEFINE which applies to memory sanitizer and not valgrind e7bdddd refactor: rename `check_fe_equal` -> `fe_equal` 00111c9 tests: add missing fe comparison checks for inverse field test cases 0653a25 Merge bitcoin-core/secp256k1#1486: ci: Update cache action 94a14d5 ci: Update cache action 2483627 Merge bitcoin-core/secp256k1#1483: cmake: Recommend native CMake commands in README 5ad3aa3 Merge bitcoin-core/secp256k1#1484: tests: Drop redundant _scalar_check_overflow calls 51df2d9 tests: Drop redundant _scalar_check_overflow calls 3777e3f cmake: Recommend native CMake commands in README e4af41c Merge bitcoin-core/secp256k1#1249: cmake: Add `SECP256K1_LATE_CFLAGS` configure option 3bf4d68 Merge bitcoin-core/secp256k1#1482: build: Clean up handling of module dependencies e682267 build: Error if required module explicitly off 89ec583 build: Clean up handling of module dependencies 4437886 Merge bitcoin-core/secp256k1#1468: v0.4.1 release aftermath a9db9f2 Merge bitcoin-core/secp256k1#1480: Get rid of untested sizeof(secp256k1_ge_storage) == 64 code path 74b7c3b Merge bitcoin-core/secp256k1#1476: include: make docs more consistent b37fdb2 check-abi: Minor UI improvements ad5f589 check-abi: Default to HEAD for new version 9fb7e2f release process: Style and formatting nits ba5d72d assumptions: Use new STATIC_ASSERT macro e53c2d9 Require that sizeof(secp256k1_ge_storage) == 64 d0ba2ab util: Add STATIC_ASSERT macro da7bc1b include: in doc, remove article in front of "pointer" aa3dd52 include: make doc about ctx more consistent e3f6900 include: remove obvious "cannot be NULL" doc d373bf6 Merge bitcoin-core/secp256k1#1474: tests: restore scalar_mul test 79e0945 Merge bitcoin-core/secp256k1#1473: Fix typos 3dbfb48 tests: restore scalar_mul test d77170a Fix typos e7053d0 release process: Add email step 429d21d release process: Run sanity checks on release PR efe85c7 Merge bitcoin-core/secp256k1#1466: release cleanup: bump version after 0.4.1 4b2e06f release cleanup: bump version after 0.4.1 1ad5185 Merge bitcoin-core/secp256k1#1465: release: prepare for 0.4.1 672053d release: prepare for 0.4.1 1a81df8 Merge bitcoin-core/secp256k1#1380: Add ABI checking tool for release process 74a4d97 doc: Add ABI checking with `check-abi.sh` to the Release Process e7f830e Add `tools/check-abi.sh` 77af1da Merge bitcoin-core/secp256k1#1455: doc: improve secp256k1_fe_set_b32_mod doc 3928b7c doc: improve secp256k1_fe_set_b32_mod doc 5e9a4d7 Merge bitcoin-core/secp256k1#990: Add comment on length checks when parsing ECDSA sigs 4197d66 Merge bitcoin-core/secp256k1#1431: Add CONTRIBUTING.md 0e5ea62 CONTRIBUTING: add some coding and style conventions e2c9888 Merge bitcoin-core/secp256k1#1451: changelog: add entry for "field: Remove x86_64 asm" d2e36a2 changelog: add entry for "field: Remove x86_64 asm" 1a432cb README: update first sentence 0922a04 docs: move coverage report instructions to CONTRIBUTING 76880e4 Add CONTRIBUTING.md including scope and guidelines for new code d3e29db Merge bitcoin-core/secp256k1#1450: Add group.h ge/gej equality functions 04af0ba Replace ge_equals_ge[,j] calls with group.h equality calls 60525f6 Add unit tests for group.h equality functions a47cd97 Add group.h ge/gej equality functions 10e6d29 Merge bitcoin-core/secp256k1#1446: field: Remove x86_64 asm 07687e8 Merge bitcoin-core/secp256k1#1393: Implement new policy for VERIFY_CHECK and #ifdef VERIFY (issue #1381) bb46723 remove VERIFY_SETUP define a3a3e11 remove unneeded VERIFY_SETUP uses in ECMULT_CONST_TABLE_GET_GE macro a0fb68a introduce and use SECP256K1_SCALAR_VERIFY macro cf25c86 introduce and use SECP256K1_{FE,GE,GEJ}_VERIFY macros 5d89bc0 remove superfluous `#ifdef VERIFY`/`#endif` preprocessor conditions c2688f8 redefine VERIFY_CHECK to empty in production (non-VERIFY) mode 5814d84 Merge bitcoin-core/secp256k1#1438: correct assertion for secp256k1_fe_mul_inner c1b4966 Merge bitcoin-core/secp256k1#1445: bench: add --help option to bench_internal f07cead build: Don't call assembly an optimization 2f0762f field: Remove x86_64 asm 1ddd76a bench: add --help option to bench_internal e721039 Merge bitcoin-core/secp256k1#1441: asm: add .note.GNU-stack section for non-exec stack ea47c82 Merge bitcoin-core/secp256k1#1442: Return temporaries to being unsigned in secp256k1_fe_sqr_inner dcdda31 Tighten secp256k1_fe_mul_inner's VERIFY_BITS checks 1027135 Return temporaries to being unsigned in secp256k1_fe_sqr_inner 33dc7e4 asm: add .note.GNU-stack section for non-exec stack c891c5c Merge bitcoin-core/secp256k1#1437: ci: Ignore internal errors of snapshot compilers 8185e72 ci: Ignore internal errors in snapshot compilers 40f50d0 Merge bitcoin-core/secp256k1#1184: Signed-digit based ecmult_const algorithm 8e2a5fe correct assertion for secp256k1_fe_mul_inner 355bbdf Add changelog entry for signed-digit ecmult_const algorithm 21f49d9 Remove unused secp256k1_scalar_shr_int 115fdc7 Remove unused secp256k1_wnaf_const aa9f3a3 ecmult_const: add/improve tests 4d16e90 Signed-digit based ecmult_const algorithm ba523be make SECP256K1_SCALAR_CONST reduce modulo exhaustive group order 2140da9 Add secp256k1_scalar_half for halving scalars (+ tests/benchmarks). 1f1bb78 Merge bitcoin-core/secp256k1#1430: README: remove CI badge 5dab0ba README: remove CI badge b314cf2 Merge bitcoin-core/secp256k1#1426: ci/cirrus: Add native ARM64 jobs fa4d6c7 ci/cirrus: Add native ARM64 persistent workers ee7aaf2 Merge bitcoin-core/secp256k1#1395: tests: simplify `random_fe_non_zero` (remove loop limit and unneeded normalize) ba9cb6f Merge bitcoin-core/secp256k1#1424: ci: Bump major versions for docker actions d9d80fd ci: Bump major versions for docker actions 4fd00f4 Merge bitcoin-core/secp256k1#1422: cmake: Install `libsecp256k1.pc` file 421d848 ci: Align Autotools/CMake `CI_INSTALL` directory names 9f005c6 cmake: Install `libsecp256k1.pc` file 2262d0e ci/cirrus: Bring back skeleton .cirrus.yml without jobs b10ddd2 Merge bitcoin-core/secp256k1#1416: doc: Align documented scripts with CI ones 49be5be Merge bitcoin-core/secp256k1#1390: tests: Replace counting_illegal_callbacks with CHECK_ILLEGAL_VOID cbf3053 Merge bitcoin-core/secp256k1#1417: release cleanup: bump version after 0.4.0 9b118bc release cleanup: bump version after 0.4.0 199d27c Merge bitcoin-core/secp256k1#1415: release: Prepare for 0.4.0 7030364 tests: add CHECK_ERROR_VOID and use it in scratch tests f8d7ea6 tests: Replace counting_illegal_callbacks with CHECK_ILLEGAL_VOID 1633980 release: Prepare for 0.4.0 d9a8506 changelog: Catch up in preparation of release b0f7bfe doc: Do not mention soname in CHANGELOG.md "ABI Compatibility" section bd9d98d doc: Align documented scripts with CI ones 0b4640a Merge bitcoin-core/secp256k1#1413: ci: Add `release` job 8659a01 ci: Add `release` job f9b3889 ci: Update `actions/checkout` version a1d52e3 tests: remove unnecessary test in run_ec_pubkey_parse_test 875b0ad tests: remove unnecessary set_illegal_callback 727bec5 Merge bitcoin-core/secp256k1#1414: ci/gha: Add ARM64 QEMU jobs for clang and clang-snapshot 2635068 ci/gha: Let MSan continue checking after errors in all jobs e78c7b6 ci/Dockerfile: Reduce size of Docker image further 2f0d3bb ci/Dockerfile: Warn if `ulimit -n` is too high when running Docker 4b8a647 ci/gha: Add ARM64 QEMU jobs for clang and clang-snapshot 6ebe7d2 ci/Dockerfile: Always use versioned clang packages 65c79fe Merge bitcoin-core/secp256k1#1412: ci: Switch macOS from Ventura to Monterey and add Valgrind c223d7e ci: Switch macOS from Ventura to Monterey and add Valgrind ea26b71 Merge bitcoin-core/secp256k1#1411: ci: Make repetitive command the default one cce0456 ci: Make repetitive command the default one 317a4c4 ci: Move `git config ...` to `run-in-docker-action` 4d7fe60 Merge bitcoin-core/secp256k1#1409: ci: Move remained task from Cirrus to GitHub Actions 676ed8f ci: Move "C++ (public headers)" from Cirrus to GitHub Actions 61fc3a2 ci: Move "C++ -fpermissive..." from Cirrus to GitHub Actions d51fb0a ci: Move "MSan" from Cirrus to GitHub Actions c22ac27 ci: Move sanitizers task from Cirrus to GitHub Actions 26a9899 Merge bitcoin-core/secp256k1#1410: ci: Use concurrency for pull requests only ee1be62 ci: Use concurrency for pull requests only 6ee1455 Merge bitcoin-core/secp256k1#1406: ci, gha: Move more non-x86_64 tasks from Cirrus CI to GitHub Actions fc3dea2 ci: Move "ppc64le: Linux..." from Cirrus to GitHub Actions 7782dc8 ci: Move "ARM64: Linux..." from Cirrus to GitHub Actions 0a16de6 ci: Move "ARM32: Linux..." from Cirrus to GitHub Actions ea33914 ci: Move "s390x (big-endian): Linux..." from Cirrus to GitHub Actions 880be8a ci: Move "i686: Linux (Debian stable)" from Cirrus to GiHub Actions 2e6cf9b Merge bitcoin-core/secp256k1#1396: ci, gha: Add "x86_64: Linux (Debian stable)" GitHub Actions job 5373693 Merge bitcoin-core/secp256k1#1405: ci: Drop no longer needed workaround ef9fe95 ci: Drop no longer needed workaround e10878f ci, gha: Drop `driver-opts.network` input for `setup-buildx-action` 4ad4914 ci, gha: Add `retry_builder` Docker image builder 6617a62 ci: Remove "x86_64: Linux (Debian stable)" task from Cirrus CI 03c9e65 ci, gha: Add "x86_64: Linux (Debian stable)" GitHub Actions job ad3e65d ci: Remove GCC build files and sage to reduce size of Docker image 6b9507a Merge bitcoin-core/secp256k1#1398: ci, gha: Add Windows jobs based on Linux image 87d35f3 ci: Rename `cirrus.sh` to more general `ci.sh` d6281dd ci: Remove Windows tasks from Cirrus CI 2b6f9cd ci, gha: Add Windows jobs based on Linux image 48b1d93 Merge bitcoin-core/secp256k1#1403: ci, gha: Ensure only a single workflow processes `github.ref` at a time 0ba2b94 Merge bitcoin-core/secp256k1#1373: Add invariant checking for scalars c45b7c4 refactor: introduce testutil.h (deduplicate `random_fe_`, `ge_equals_` helpers) dc55141 tests: simplify `random_fe_non_zero` (remove loop limit and unneeded normalize) 060e32c Merge bitcoin-core/secp256k1#1401: ci, gha: Run all MSVC tests on Windows natively de657c2 Merge bitcoin-core/secp256k1#1062: Removes `_fe_equal_var`, and unwanted `_fe_normalize_weak` calls (in tests) bcffeb1 Merge bitcoin-core/secp256k1#1404: ci: Remove "arm64: macOS Ventura" task from Cirrus CI c2f6435 ci: Add comment about switching macOS to M1 on GHA later 4a24fae ci: Remove "arm64: macOS Ventura" task from Cirrus CI b0886fd ci, gha: Ensure only a single workflow processes `github.ref` at a time 3d05c86 Merge bitcoin-core/secp256k1#1394: ci, gha: Run "x86_64: macOS Ventura" job on GitHub Actions d78bec7 ci: Remove Windows MSVC tasks from Cirrus CI 3545dc2 ci, gha: Run all MSVC tests on Windows natively 5d8fa82 Merge bitcoin-core/secp256k1#1274: test: Silent noisy clang warnings about Valgrind code on macOS x86_64 8e54a34 ci, gha: Run "x86_64: macOS Ventura" job on GitHub Actions b327abf Merge bitcoin-core/secp256k1#1402: ci: Use Homebrew's gcc in native macOS task d62db57 ci: Use Homebrew's gcc in native macOS task 54058d1 field: remove `secp256k1_fe_equal_var` bb4efd6 tests: remove unwanted `secp256k1_fe_normalize_weak` call eedd781 Merge bitcoin-core/secp256k1#1348: tighten group magnitude limits, save normalize_weak calls in group add methods (revival of #1032) b2f6712 Merge bitcoin-core/secp256k1#1400: ctimetests: Use new SECP256K1_CHECKMEM macros also for ellswift 9c91ea4 ci: Enable ellswift module where it's missing db32a24 ctimetests: Use new SECP256K1_CHECKMEM macros also for ellswift ce765a5 Merge bitcoin-core/secp256k1#1399: ci, gha: Run "SageMath prover" job on GitHub Actions 8408dfd Revert "ci: Run sage prover on CI" c8d9914 ci, gha: Run "SageMath prover" job on GitHub Actions 8d2960c Merge bitcoin-core/secp256k1#1397: ci: Remove "Windows (VS 2022)" task from Cirrus CI f1774e5 ci, gha: Make MSVC job presentation more explicit 5ee039b ci: Remove "Windows (VS 2022)" task from Cirrus CI 96294c0 Merge bitcoin-core/secp256k1#1389: ci: Run "Windows (VS 2022)" job on GitHub Actions a2f7ccd ci: Run "Windows (VS 2022)" job on GitHub Actions 374e2b5 Merge bitcoin-core/secp256k1#1290: cmake: Set `ENVIRONMENT` property for examples on Windows 1b13415 Merge bitcoin-core/secp256k1#1391: refactor: take use of `secp256k1_scalar_{zero,one}` constants (part 2) a1bd497 refactor: take use of `secp256k1_scalar_{zero,one}` constants (part 2) b7c685e Save _normalize_weak calls in group add methods c83afa6 Tighten group magnitude limits 26392da Merge bitcoin-core/secp256k1#1386: ci: print $ELLSWIFT in cirrus.sh d23da6d use secp256k1_scalar_verify checks 4692478 ci: print $ELLSWIFT in cirrus.sh c7d0454 add verification for scalars c734c64 Merge bitcoin-core/secp256k1#1384: build: enable ellswift module via SECP_CONFIG_DEFINES ad15215 update max scalar in scalar_cmov_test and fix schnorrsig_verify exhaustive test 78ca880 build: enable ellswift module via SECP_CONFIG_DEFINES 0e00fc7 Merge bitcoin-core/secp256k1#1383: util: remove unused checked_realloc b097a46 util: remove unused checked_realloc 2bd5f3e Merge bitcoin-core/secp256k1#1382: refactor: Drop unused cast 4f8c5bd refactor: Drop unused cast 173e8d0 Implement current magnitude assumptions 49afd2f Take use of _fe_verify_magnitude in field_impl.h 4e9661f Add _fe_verify_magnitude (no-op unless VERIFY is enabled) 690b0fc add missing group element invariant checks 175db31 ci: Drop no longer needed `PATH` variable update on Windows 116d2ab cmake: Set `ENVIRONMENT` property for examples on Windows cef3739 cmake, refactor: Use helper function instead of interface library 747ada3 test: Silent noisy clang warnings about Valgrind code on macOS x86_64 42f8c51 cmake: Add `SECP256K1_LATE_CFLAGS` configure option e02f313 Add comment on length checks when parsing ECDSA sigs git-subtree-dir: src/secp256k1 git-subtree-split: e3a885d42a7800c1ccebad94ad1e2b82c4df5c65
This PR adds a
secp256k1_pubkey_sortfunction the the public API which was originally part of the musig PR (#1479). However, I opened a separate PR because it adds internal functions that are also used by the WIP silent payments module.