Rip out non-endomorphism code#826
Closed
sipa wants to merge 1 commit intobitcoin-core:masterfrom
Closed
Conversation
sipa
force-pushed
the
202009_endo_endo_endo
branch
2 times, most recently
from
e199824 to
a523e2c
Compare
Contributor
|
There's nothing I love more than a PR that only deletes code :) |
Contributor
Author
Hey it also improves some comments. |
elichai
reviewed
Sep 26, 2020
Contributor
|
tACK a523e2c two nits:
|
Contributor
|
ACK a523e2c (modulo merge conflict): diff looks correct |
sipa
force-pushed
the
202009_endo_endo_endo
branch
from
a523e2c to
46f9e0e
Compare
Contributor
Author
|
Rebased, and:
Done. |
Contributor
|
Looks good to me, endo only increases a stripped Os build for me by 456 bytes-- so insignificant esp with respect to the performance difference, so I don't see any reason to keep the other code around even for code size constrained applications (you can get 456 bytes of savings in other ways with less performance impact). |
jonatack
reviewed
Sep 28, 2020
tarcieri
added a commit
to RustCrypto/elliptic-curves
that referenced
this pull request
Sep 28, 2020
The reason this wasn't enabled-by-default before was due to a lingering US patent. However, as noted on #211, that patent just expired 🎉 The `bitcoin-core/secp256k1` library is also pursuing a full switch to endomorphisms: bitcoin-core/secp256k1#826 For now this commit just switches on the feature by default, but in the future we can eventually rip out the non-endomorphism code and remove the feature entirely.
tarcieri
added a commit
to RustCrypto/elliptic-curves
that referenced
this pull request
Sep 28, 2020
The reason this wasn't enabled-by-default before was due to a lingering US patent. However, as noted on #211, that patent just expired 🎉 The `bitcoin-core/secp256k1` library is also pursuing a full switch to endomorphisms: bitcoin-core/secp256k1#826 For now this commit just switches on the feature by default, but in the future we can eventually rip out the non-endomorphism code and remove the feature entirely.
Contributor
|
re-ACK 46f9e0e |
Member
|
ACK 46f9e0e
I agree. I also looked at it from that angle, but this is a negligible increase in code size. Not worth keeping an option around for. |
Contributor
|
re-ACK 46f9e0e |
tarcieri
added a commit
to RustCrypto/elliptic-curves
that referenced
this pull request
Sep 29, 2020
This code was previously gated under the `endomorphism-mul` feature due to lingering concerns about the "GLV" patents, namely US7110538. According to @pwuille, a patent attorney he works with has verified that the patent is expired: https://twitter.com/pwuille/status/1310639051393830912 Likewise non-endomorphism code is being removed from `bitcoin-core/secp256k1`: bitcoin-core/secp256k1#826 This commit does the same for `k256`: it removes all the non-endomorphism code and feature gating from the endomorphism code, making the `endomorphism-mul` feature a no-op. We can remove the feature in the next SemVer-breaking release (v0.6.x)
tarcieri
added a commit
to RustCrypto/elliptic-curves
that referenced
this pull request
Sep 30, 2020
This code was previously gated under the `endomorphism-mul` feature due to lingering concerns about the "GLV" patents, namely US7110538. According to @pwuille, a patent attorney he works with has verified that the patent is expired: https://twitter.com/pwuille/status/1310639051393830912 Likewise non-endomorphism code is being removed from `bitcoin-core/secp256k1`: bitcoin-core/secp256k1#826 This commit does the same for `k256`: it removes all the non-endomorphism code and feature gating from the endomorphism code, making the `endomorphism-mul` feature a no-op. We can remove the feature in the next SemVer-breaking release (v0.6.x)
|
ACK 46f9e0e |
Contributor
Author
|
I'd like #822 in before this, as should have all assurances we can get that the lambda-split values indeed stay in range. |
This was referenced Oct 11, 2020
Contributor
Author
sipa
added a commit
that referenced
this pull request
Oct 14, 2020
c582aba Consistency improvements to the comments (Pieter Wuille) 63c6b71 Reorder comments/function around scalar_split_lambda (Pieter Wuille) 2edc514 WNAF of lambda_split output has max size 129 (Pieter Wuille) 4232e5b Rip out non-endomorphism code (Pieter Wuille) ebad841 Check correctness of lambda split without -DVERIFY (Gregory Maxwell) fe7fc1f Make lambda constant accessible (Pieter Wuille) 9d2f2b4 Add tests to exercise lambda split near bounds (Pieter Wuille) 9aca2f7 Add secp256k1_split_lambda_verify (Russell O'Connor) acab934 Detailed comments for secp256k1_scalar_split_lambda (Russell O'Connor) 76ed922 Increase precision of g1 and g2 (Russell O'Connor) 6173839 Switch to our own memcmp function (Tim Ruffing) Pull request description: This is a rebased/combined version of the following pull requests/commits with minor changes: * #825 Switch to our own memcmp function * Modification: `secp256k1_memcmp_var` is marked static inline * Modification: also replace `memcmp` with `secp256k1_memcmp_var` in exhaustive tests * Modification: add reference to GCC bug 95189 * #822 Increase precision of g1 and g2 * Modification: use the new `secp256k1_memcmp_var` function instead of `memcmp` (see #822 (comment)) * Modification: drop the " Allow secp256k1_split_lambda_verify to pass even in the presence of GCC bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189." commit, as it's dealt with using `secp256k1_memcmp_var`. * Modification: rename secp256k1_gej_mul_lambda -> secp256k1_ge_mul_lambda * A new commit that moves the `lambda` constant out of `secp256k1_scalar_split_lambda` and (`_verify`). * The test commit suggested here: #822 (comment) * Modification: use the new accessible `secp256k1_const_lambda` instead of duplicating it. * #826 Rip out non-endomorphism code * A new commit that reduces the size of the WNAF output to 129, as we now have proof that the split output is always 128 bits or less. * A new commit to more consistently use input:`k`, integer outputs:`k1`,`k2`, modulo n outputs:`r1`,`r2` ACKs for top commit: real-or-random: ACK c582aba code inspection, some tests, verified the new g1/g2 constants jonasnick: ACK c582aba didn't verify the proof Tree-SHA512: 323a3ee3884b7ac4fa85c8e7b785111b5c0638d718bc1c805a38963c87411e81a746c98e9a42a3e2197ab34a874544de5cc51326955d1c4d0ea45afd418e819f
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As the patent on the GLV optimization has expired, there is no need to keep the slower non-endomorphism code around anymore.