Merge commit 'f90c4547ec40653bb64c5fdb7867db70f5be2190' into 2024-02-…

…batch-validation-updated
fjahr · Dec 5, 2024 · 6f271d7 · 6f271d7
2 parents 5cc5c43 + f90c454
commit 6f271d7
Show file tree

Hide file tree

Showing 40 changed files with 2,623 additions and 80 deletions.
diff --git a/src/secp256k1/.gitignore b/src/secp256k1/.gitignore
@@ -12,6 +12,7 @@ ecdsa_example
 schnorr_example
 ellswift_example
 musig_example
+batch_example
 *.exe
 *.so
 *.a

diff --git a/src/secp256k1/CHANGELOG.md b/src/secp256k1/CHANGELOG.md
@@ -5,6 +5,8 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
 ## [0.6.0] - 2024-11-04
 
 #### Added
@@ -162,6 +164,7 @@ This version was in fact never released.
 The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).
 Therefore, this version number does not uniquely identify a set of source files.
 
+[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.6.0...HEAD
 [0.6.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.5.1...v0.6.0
 [0.5.1]: https://github.com/bitcoin-core/secp256k1/compare/v0.5.0...v0.5.1
 [0.5.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.4.1...v0.5.0

diff --git a/src/secp256k1/CMakeLists.txt b/src/secp256k1/CMakeLists.txt
@@ -7,7 +7,7 @@ project(libsecp256k1
   # The package (a.k.a. release) version is based on semantic versioning 2.0.0 of
   # the API. All changes in experimental modules are treated as
   # backwards-compatible and therefore at most increase the minor version.
-  VERSION 0.6.0
+  VERSION 0.6.1
   DESCRIPTION "Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1."
   HOMEPAGE_URL "https://github.com/bitcoin-core/secp256k1"
   LANGUAGES C
@@ -32,7 +32,7 @@ endif()
 # All changes in experimental modules are treated as if they don't affect the
 # interface and therefore only increase the revision.
 set(${PROJECT_NAME}_LIB_VERSION_CURRENT 5)
-set(${PROJECT_NAME}_LIB_VERSION_REVISION 0)
+set(${PROJECT_NAME}_LIB_VERSION_REVISION 1)
 set(${PROJECT_NAME}_LIB_VERSION_AGE 0)
 
 #=============================
@@ -55,11 +55,12 @@ option(SECP256K1_INSTALL "Enable installation." ${PROJECT_IS_TOP_LEVEL})
 ## Modules
 
 # We declare all options before processing them, to make sure we can express
-# dependendencies while processing.
+# dependencies while processing.
 option(SECP256K1_ENABLE_MODULE_ECDH "Enable ECDH module." ON)
 option(SECP256K1_ENABLE_MODULE_RECOVERY "Enable ECDSA pubkey recovery module." OFF)
 option(SECP256K1_ENABLE_MODULE_EXTRAKEYS "Enable extrakeys module." ON)
 option(SECP256K1_ENABLE_MODULE_SCHNORRSIG "Enable schnorrsig module." ON)
+option(SECP256K1_ENABLE_MODULE_BATCH "Enable batch module." OFF)
 option(SECP256K1_ENABLE_MODULE_MUSIG "Enable musig module." ON)
 option(SECP256K1_ENABLE_MODULE_ELLSWIFT "Enable ElligatorSwift module." ON)
 
@@ -69,6 +70,18 @@ if(SECP256K1_ENABLE_MODULE_ELLSWIFT)
   add_compile_definitions(ENABLE_MODULE_ELLSWIFT=1)
 endif()
 
+option(SECP256K1_EXPERIMENTAL "Allow experimental configuration options." OFF)
+if(SECP256K1_ENABLE_MODULE_BATCH)
+  if(NOT SECP256K1_EXPERIMENTAL)
+    message(FATAL_ERROR "Schnorrsig batch validation is experimental. Use -DSECP256K1_EXPERIMENTAL=ON to allow.")
+  endif()
+  if(DEFINED SECP256K1_ENABLE_MODULE_SCHNORRSIG AND NOT SECP256K1_ENABLE_MODULE_SCHNORRSIG)
+    message(FATAL_ERROR "Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the Schnorrsig batch validation module.")
+  endif()
+  set(SECP256K1_ENABLE_MODULE_SCHNORRSIG ON)
+  add_compile_definitions(ENABLE_MODULE_BATCH=1)
+endif()
+
 if(SECP256K1_ENABLE_MODULE_MUSIG)
   if(DEFINED SECP256K1_ENABLE_MODULE_SCHNORRSIG AND NOT SECP256K1_ENABLE_MODULE_SCHNORRSIG)
     message(FATAL_ERROR "Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the musig module.")
@@ -156,7 +169,6 @@ elseif(SECP256K1_ASM)
   endif()
 endif()
 
-option(SECP256K1_EXPERIMENTAL "Allow experimental configuration options." OFF)
 if(NOT SECP256K1_EXPERIMENTAL)
   if(SECP256K1_ASM STREQUAL "arm32")
     message(FATAL_ERROR "ARM32 assembly is experimental. Use -DSECP256K1_EXPERIMENTAL=ON to allow.")
@@ -325,6 +337,7 @@ message("  ECDH ................................ ${SECP256K1_ENABLE_MODULE_ECDH}
 message("  ECDSA pubkey recovery ............... ${SECP256K1_ENABLE_MODULE_RECOVERY}")
 message("  extrakeys ........................... ${SECP256K1_ENABLE_MODULE_EXTRAKEYS}")
 message("  schnorrsig .......................... ${SECP256K1_ENABLE_MODULE_SCHNORRSIG}")
+message("  batch ............................... ${SECP256K1_ENABLE_MODULE_BATCH}")
 message("  musig ............................... ${SECP256K1_ENABLE_MODULE_MUSIG}")
 message("  ElligatorSwift ...................... ${SECP256K1_ENABLE_MODULE_ELLSWIFT}")
 message("Parameters:")

diff --git a/src/secp256k1/Makefile.am b/src/secp256k1/Makefile.am
@@ -183,6 +183,17 @@ if BUILD_WINDOWS
 schnorr_example_LDFLAGS += -lbcrypt
 endif
 TESTS += schnorr_example
+if ENABLE_MODULE_BATCH
+noinst_PROGRAMS += batch_example
+batch_example_SOURCES = examples/batch.c
+batch_example_CPPFLAGS = -I$(top_srcdir)/include
+batch_example_LDADD = libsecp256k1.la
+batch_example_LDFLAGS = -static
+if BUILD_WINDOWS
+batch_example_LDFLAGS += -lbcrypt
+endif
+TESTS += batch_example
+endif
 endif
 if ENABLE_MODULE_ELLSWIFT
 noinst_PROGRAMS += ellswift_example
@@ -300,3 +311,7 @@ endif
 if ENABLE_MODULE_ELLSWIFT
 include src/modules/ellswift/Makefile.am.include
 endif
+
+if ENABLE_MODULE_BATCH
+include src/modules/batch/Makefile.am.include
+endif
diff --git a/src/secp256k1/README.md b/src/secp256k1/README.md
@@ -22,6 +22,7 @@ Features:
 * Optional module for Schnorr signatures according to [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
 * Optional module for ElligatorSwift key exchange according to [BIP-324](https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki).
 * Optional module for MuSig2 Schnorr multi-signatures according to [BIP-327](https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki).
+* Optional module for Batch Verification (experimental).
 
 Implementation details
 ----------------------

diff --git a/src/secp256k1/ci/cirrus.sh b/src/secp256k1/ci/cirrus.sh
@@ -0,0 +1,82 @@
+#!/bin/sh
+
+set -e
+set -x
+
+export LC_ALL=C
+
+# Start persistent wineserver if necessary.
+# This speeds up jobs with many invocations of wine (e.g., ./configure with MSVC) tremendously.
+case "$WRAPPER_CMD" in
+    *wine*)
+        # This is apparently only reliable when we run a dummy command such as "hh.exe" afterwards.
+        wineserver -p && wine hh.exe
+        ;;
+esac
+
+env >> test_env.log
+
+$CC -v || true
+valgrind --version || true
+$WRAPPER_CMD --version || true
+
+./autogen.sh
+
+./configure \
+    --enable-experimental="$EXPERIMENTAL" \
+    --with-test-override-wide-multiply="$WIDEMUL" --with-asm="$ASM" \
+    --with-ecmult-window="$ECMULTWINDOW" \
+    --with-ecmult-gen-precision="$ECMULTGENPRECISION" \
+    --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
+    --enable-module-schnorrsig="$SCHNORRSIG" \
+    --enable-module-batch="$BATCH" \
+    --enable-examples="$EXAMPLES" \
+    --with-valgrind="$WITH_VALGRIND" \
+    --host="$HOST" $EXTRAFLAGS
+
+# We have set "-j<n>" in MAKEFLAGS.
+make
+
+# Print information about binaries so that we can see that the architecture is correct
+file *tests* || true
+file bench* || true
+file .libs/* || true
+
+# This tells `make check` to wrap test invocations.
+export LOG_COMPILER="$WRAPPER_CMD"
+
+make "$BUILD"
+
+if [ "$BENCH" = "yes" ]
+then
+    # Using the local `libtool` because on macOS the system's libtool has nothing to do with GNU libtool
+    EXEC='./libtool --mode=execute'
+    if [ -n "$WRAPPER_CMD" ]
+    then
+        EXEC="$EXEC $WRAPPER_CMD"
+    fi
+    {
+        $EXEC ./bench_ecmult
+        $EXEC ./bench_internal
+        $EXEC ./bench
+    } >> bench.log 2>&1
+fi
+
+if [ "$CTIMETEST" = "yes" ]
+then
+    ./libtool --mode=execute valgrind --error-exitcode=42 ./valgrind_ctime_test > valgrind_ctime_test.log 2>&1
+fi
+
+# Rebuild precomputed files (if not cross-compiling).
+if [ -z "$HOST" ]
+then
+    make clean-precomp
+    make precomp
+fi
+
+# Shutdown wineserver again
+wineserver -k || true
+
+# Check that no repo files have been modified by the build.
+# (This fails for example if the precomp files need to be updated in the repo.)
+git diff --exit-code
diff --git a/src/secp256k1/configure.ac b/src/secp256k1/configure.ac
@@ -5,16 +5,16 @@ AC_PREREQ([2.60])
 # backwards-compatible and therefore at most increase the minor version.
 define(_PKG_VERSION_MAJOR, 0)
 define(_PKG_VERSION_MINOR, 6)
-define(_PKG_VERSION_PATCH, 0)
-define(_PKG_VERSION_IS_RELEASE, true)
+define(_PKG_VERSION_PATCH, 1)
+define(_PKG_VERSION_IS_RELEASE, false)
 
 # The library version is based on libtool versioning of the ABI. The set of
 # rules for updating the version can be found here:
 # https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
 # All changes in experimental modules are treated as if they don't affect the
 # interface and therefore only increase the revision.
 define(_LIB_VERSION_CURRENT, 5)
-define(_LIB_VERSION_REVISION, 0)
+define(_LIB_VERSION_REVISION, 1)
 define(_LIB_VERSION_AGE, 0)
 
 AC_INIT([libsecp256k1],m4_join([.], _PKG_VERSION_MAJOR, _PKG_VERSION_MINOR, _PKG_VERSION_PATCH)m4_if(_PKG_VERSION_IS_RELEASE, [true], [], [-dev]),[https://github.com/bitcoin-core/secp256k1/issues],[libsecp256k1],[https://github.com/bitcoin-core/secp256k1])
@@ -192,6 +192,10 @@ AC_ARG_ENABLE(module_ellswift,
     AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [],
     [SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])])
 
+AC_ARG_ENABLE(module_batch,
+    AS_HELP_STRING([--enable-module-batch],[enable batch verification module (experimental) [default=no]]), [],
+    [SECP_SET_DEFAULT([enable_module_batch], [no], [yes])])
+
 AC_ARG_ENABLE(external_default_callbacks,
     AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]), [],
     [SECP_SET_DEFAULT([enable_external_default_callbacks], [no], [no])])
@@ -254,8 +258,8 @@ fi
 print_msan_notice=no
 if test x"$enable_ctime_tests" = x"yes"; then
   SECP_MSAN_CHECK
-  # MSan on Clang >=16 reports unitialized memory in function parameters and return values, even if
-  # the uninitalized variable is never actually "used". This is called "eager" checking, and it's
+  # MSan on Clang >=16 reports uninitialized memory in function parameters and return values, even if
+  # the uninitialized variable is never actually "used". This is called "eager" checking, and it's
   # sounds like good idea for normal use of MSan. However, it yields many false positives in the
   # ctime_tests because many return values depend on secret (i.e., "uninitialized") values, and
   # we're only interested in detecting branches (which count as "uses") on secret data.
@@ -430,6 +434,10 @@ if test x"$enable_module_ecdh" = x"yes"; then
   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDH=1"
 fi
 
+if test x"$enable_module_batch" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_BATCH, 1, [Define this symbol to enable the batch verification module])
+fi
+
 if test x"$enable_external_default_callbacks" = x"yes"; then
   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_DEFAULT_CALLBACKS=1"
 fi
@@ -442,6 +450,9 @@ if test x"$enable_experimental" = x"no"; then
   if test x"$set_asm" = x"arm32"; then
     AC_MSG_ERROR([ARM32 assembly is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_batch" = x"yes"; then
+    AC_MSG_ERROR([batch verification module is experimental. Use --enable-experimental to allow.])
+  fi
 fi
 
 ###
@@ -463,6 +474,7 @@ AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x"
 AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ELLSWIFT], [test x"$enable_module_ellswift" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_BATCH], [test x"$enable_module_batch" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"])
 AM_CONDITIONAL([BUILD_WINDOWS], [test "$build_windows" = "yes"])
@@ -486,6 +498,7 @@ echo "  module extrakeys        = $enable_module_extrakeys"
 echo "  module schnorrsig       = $enable_module_schnorrsig"
 echo "  module musig            = $enable_module_musig"
 echo "  module ellswift         = $enable_module_ellswift"
+echo "  module batch            = $enable_module_batch"
 echo
 echo "  asm                     = $set_asm"
 echo "  ecmult window size      = $set_ecmult_window"

diff --git a/src/secp256k1/doc/speedup-batch.md b/src/secp256k1/doc/speedup-batch.md
@@ -0,0 +1,15 @@
+# Schnorrsig Batch Verification Speedup
+
+![Speedup over single verification](speedup-batch/schnorrsig-speedup-batch.png)
+
+# Tweak Pubkey Check Batch Verification Speedup
+
+![Speedup over single verification](speedup-batch/tweakcheck-speedup-batch.png)
+
+Build steps
+-----------
+To generate the above graphs on your local machine:
+
+    $ cd doc/speedup-batch
+    $ make
+    $ make speedup-batch.png
diff --git a/src/secp256k1/doc/speedup-batch/.gitignore b/src/secp256k1/doc/speedup-batch/.gitignore
@@ -0,0 +1 @@
+*.dat
diff --git a/src/secp256k1/doc/speedup-batch/Makefile b/src/secp256k1/doc/speedup-batch/Makefile
@@ -0,0 +1,23 @@
+schnorrsig_data = schnorrsig_batch.dat schnorrsig_single.dat
+tweak_data = tweak_batch.dat tweak_single.dat
+
+bench_output.txt: bench.sh
+	SECP256K1_BENCH_ITERS=500000 ./bench.sh bench_output.txt
+
+schnorrsig_batch.dat: bench_output.txt
+	cat bench_output.txt | grep -v "schnorrsig_batch_verify_1 " | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /schnorrsig_batch_verify_([0-9]+)/, arr) {print arr[1] " " $$3}' > schnorrsig_batch.dat
+
+schnorrsig_single.dat: bench_output.txt
+	cat bench_output.txt | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /schnorrsig_verify/) {print $$3}' > schnorrsig_single.dat
+
+tweak_batch.dat: bench_output.txt
+	cat bench_output.txt | grep -v "tweak_check_batch_verify_1 " | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /tweak_check_batch_verify_([0-9]+)/, arr) {print arr[1] " " $$3}' > tweak_batch.dat
+
+tweak_single.dat: bench_output.txt
+	cat bench_output.txt | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /tweak_add_check/) {print $$3}' > tweak_single.dat
+
+speedup-batch.png: $(schnorrsig_data) $(tweak_data) plot.gp
+	gnuplot plot.gp
+
+clean:
+	rm *.log *.txt *.dat *.png
diff --git a/src/secp256k1/doc/speedup-batch/bench.sh b/src/secp256k1/doc/speedup-batch/bench.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+output_file=$1
+cur_dir=$(pwd)
+
+cd ../../
+echo "HEAD: $(git rev-parse --short HEAD)" > "$cur_dir/$output_file.log"
+make clean
+./autogen.sh
+./configure --enable-experimental --enable-module-batch --enable-module-schnorrsig >> "$cur_dir/$output_file.log"
+make -j
+./bench schnorrsig > "$cur_dir/$output_file"
+./bench extrakeys >> "$cur_dir/$output_file"