Squashed 'src/secp256k1/' changes from 0cdc758a56..e440c4fe45

e440c4fe45 build: Add build option for batch module
7c6b9df9ec SQUASH ME: Fix silent merge conflicts
4a0ea6104d batch: Generate graphs for batch verification speed up
a804f05738 batch, extrakeys: Add benchmark for batch verify and `tweak_add_check`
2fa3654b1e batch: Add tests for `batch_add_*` APIs
2167f490c5 batch,ecmult: Add tests for core batch APIs and `strauss_batch` refactor
453a42c22f batch: Add API usage example
564b573451 batch: Add `batch_add_*` APIs
c6577399a0 batch, ecmult: Add `batch_verify` API and refactor `strauss_batch`
bb04d14af5 batch: Add `create` and `destroy` APIs
e28dd3a120 batch: Initialize an experimental batch module
8deef00b33 Merge bitcoin-core/secp256k1#1634: Fix some misspellings
39705450eb Fix some misspellings
ec329c2501 Merge bitcoin-core/secp256k1#1633: release cleanup: bump version after 0.6.0
c97059f594 release cleanup: bump version after 0.6.0

git-subtree-dir: src/secp256k1
git-subtree-split: e440c4fe45b82dba2fb39889c1b5244574ae4bd5

Author: fjahr

.gitignore

@@ -12,6 +12,7 @@ ecdsa_example
 schnorr_example
 ellswift_example
 musig_example
+batch_example
 *.exe
 *.so
 *.a

CHANGELOG.md

@@ -5,6 +5,8 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
 ## [0.6.0] - 2024-11-04
 
 #### Added
@@ -162,6 +164,7 @@ This version was in fact never released.
 The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).
 Therefore, this version number does not uniquely identify a set of source files.
 
+[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.6.0...HEAD
 [0.6.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.5.1...v0.6.0
 [0.5.1]: https://github.com/bitcoin-core/secp256k1/compare/v0.5.0...v0.5.1
 [0.5.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.4.1...v0.5.0

CMakeLists.txt

@@ -7,7 +7,7 @@ project(libsecp256k1
   # The package (a.k.a. release) version is based on semantic versioning 2.0.0 of
   # the API. All changes in experimental modules are treated as
   # backwards-compatible and therefore at most increase the minor version.
-  VERSION 0.6.0
+  VERSION 0.6.1
   DESCRIPTION "Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1."
   HOMEPAGE_URL "https://github.com/bitcoin-core/secp256k1"
   LANGUAGES C
@@ -32,7 +32,7 @@ endif()
 # All changes in experimental modules are treated as if they don't affect the
 # interface and therefore only increase the revision.
 set(${PROJECT_NAME}_LIB_VERSION_CURRENT 5)
-set(${PROJECT_NAME}_LIB_VERSION_REVISION 0)
+set(${PROJECT_NAME}_LIB_VERSION_REVISION 1)
 set(${PROJECT_NAME}_LIB_VERSION_AGE 0)
 
 #=============================
@@ -55,11 +55,12 @@ option(SECP256K1_INSTALL "Enable installation." ${PROJECT_IS_TOP_LEVEL})
 ## Modules
 
 # We declare all options before processing them, to make sure we can express
-# dependendencies while processing.
+# dependencies while processing.
 option(SECP256K1_ENABLE_MODULE_ECDH "Enable ECDH module." ON)
 option(SECP256K1_ENABLE_MODULE_RECOVERY "Enable ECDSA pubkey recovery module." OFF)
 option(SECP256K1_ENABLE_MODULE_EXTRAKEYS "Enable extrakeys module." ON)
 option(SECP256K1_ENABLE_MODULE_SCHNORRSIG "Enable schnorrsig module." ON)
+option(SECP256K1_ENABLE_MODULE_BATCH "Enable batch module." OFF)
 option(SECP256K1_ENABLE_MODULE_MUSIG "Enable musig module." ON)
 option(SECP256K1_ENABLE_MODULE_ELLSWIFT "Enable ElligatorSwift module." ON)
 
@@ -69,6 +70,18 @@ if(SECP256K1_ENABLE_MODULE_ELLSWIFT)
   add_compile_definitions(ENABLE_MODULE_ELLSWIFT=1)
 endif()
 
+option(SECP256K1_EXPERIMENTAL "Allow experimental configuration options." OFF)
+if(SECP256K1_ENABLE_MODULE_BATCH)
+  if(NOT SECP256K1_EXPERIMENTAL)
+    message(FATAL_ERROR "Schnorrsig batch validation is experimental. Use -DSECP256K1_EXPERIMENTAL=ON to allow.")
+  endif()
+  if(DEFINED SECP256K1_ENABLE_MODULE_SCHNORRSIG AND NOT SECP256K1_ENABLE_MODULE_SCHNORRSIG)
+    message(FATAL_ERROR "Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the Schnorrsig batch validation module.")
+  endif()
+  set(SECP256K1_ENABLE_MODULE_SCHNORRSIG ON)
+  add_compile_definitions(ENABLE_MODULE_BATCH=1)
+endif()
+
 if(SECP256K1_ENABLE_MODULE_MUSIG)
   if(DEFINED SECP256K1_ENABLE_MODULE_SCHNORRSIG AND NOT SECP256K1_ENABLE_MODULE_SCHNORRSIG)
     message(FATAL_ERROR "Module dependency error: You have disabled the schnorrsig module explicitly, but it is required by the musig module.")
@@ -156,7 +169,6 @@ elseif(SECP256K1_ASM)
   endif()
 endif()
 
-option(SECP256K1_EXPERIMENTAL "Allow experimental configuration options." OFF)
 if(NOT SECP256K1_EXPERIMENTAL)
   if(SECP256K1_ASM STREQUAL "arm32")
     message(FATAL_ERROR "ARM32 assembly is experimental. Use -DSECP256K1_EXPERIMENTAL=ON to allow.")
@@ -325,6 +337,7 @@ message("  ECDH ................................ ${SECP256K1_ENABLE_MODULE_ECDH}
 message("  ECDSA pubkey recovery ............... ${SECP256K1_ENABLE_MODULE_RECOVERY}")
 message("  extrakeys ........................... ${SECP256K1_ENABLE_MODULE_EXTRAKEYS}")
 message("  schnorrsig .......................... ${SECP256K1_ENABLE_MODULE_SCHNORRSIG}")
+message("  batch ............................... ${SECP256K1_ENABLE_MODULE_BATCH}")
 message("  musig ............................... ${SECP256K1_ENABLE_MODULE_MUSIG}")
 message("  ElligatorSwift ...................... ${SECP256K1_ENABLE_MODULE_ELLSWIFT}")
 message("Parameters:")

Makefile.am

@@ -183,6 +183,17 @@ if BUILD_WINDOWS
 schnorr_example_LDFLAGS += -lbcrypt
 endif
 TESTS += schnorr_example
+if ENABLE_MODULE_BATCH
+noinst_PROGRAMS += batch_example
+batch_example_SOURCES = examples/batch.c
+batch_example_CPPFLAGS = -I$(top_srcdir)/include
+batch_example_LDADD = libsecp256k1.la
+batch_example_LDFLAGS = -static
+if BUILD_WINDOWS
+batch_example_LDFLAGS += -lbcrypt
+endif
+TESTS += batch_example
+endif
 endif
 if ENABLE_MODULE_ELLSWIFT
 noinst_PROGRAMS += ellswift_example
@@ -300,3 +311,7 @@ endif
 if ENABLE_MODULE_ELLSWIFT
 include src/modules/ellswift/Makefile.am.include
 endif
+
+if ENABLE_MODULE_BATCH
+include src/modules/batch/Makefile.am.include
+endif

README.md

@@ -22,6 +22,7 @@ Features:
 * Optional module for Schnorr signatures according to [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
 * Optional module for ElligatorSwift key exchange according to [BIP-324](https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki).
 * Optional module for MuSig2 Schnorr multi-signatures according to [BIP-327](https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki).
+* Optional module for Batch Verification (experimental).
 
 Implementation details
 ----------------------

ci/cirrus.sh

@@ -0,0 +1,82 @@
+#!/bin/sh
+
+set -e
+set -x
+
+export LC_ALL=C
+
+# Start persistent wineserver if necessary.
+# This speeds up jobs with many invocations of wine (e.g., ./configure with MSVC) tremendously.
+case "$WRAPPER_CMD" in
+    *wine*)
+        # This is apparently only reliable when we run a dummy command such as "hh.exe" afterwards.
+        wineserver -p && wine hh.exe
+        ;;
+esac
+
+env >> test_env.log
+
+$CC -v || true
+valgrind --version || true
+$WRAPPER_CMD --version || true
+
+./autogen.sh
+
+./configure \
+    --enable-experimental="$EXPERIMENTAL" \
+    --with-test-override-wide-multiply="$WIDEMUL" --with-asm="$ASM" \
+    --with-ecmult-window="$ECMULTWINDOW" \
+    --with-ecmult-gen-precision="$ECMULTGENPRECISION" \
+    --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
+    --enable-module-schnorrsig="$SCHNORRSIG" \
+    --enable-module-batch="$BATCH" \
+    --enable-examples="$EXAMPLES" \
+    --with-valgrind="$WITH_VALGRIND" \
+    --host="$HOST" $EXTRAFLAGS
+
+# We have set "-j<n>" in MAKEFLAGS.
+make
+
+# Print information about binaries so that we can see that the architecture is correct
+file *tests* || true
+file bench* || true
+file .libs/* || true
+
+# This tells `make check` to wrap test invocations.
+export LOG_COMPILER="$WRAPPER_CMD"
+
+make "$BUILD"
+
+if [ "$BENCH" = "yes" ]
+then
+    # Using the local `libtool` because on macOS the system's libtool has nothing to do with GNU libtool
+    EXEC='./libtool --mode=execute'
+    if [ -n "$WRAPPER_CMD" ]
+    then
+        EXEC="$EXEC $WRAPPER_CMD"
+    fi
+    {
+        $EXEC ./bench_ecmult
+        $EXEC ./bench_internal
+        $EXEC ./bench
+    } >> bench.log 2>&1
+fi
+
+if [ "$CTIMETEST" = "yes" ]
+then
+    ./libtool --mode=execute valgrind --error-exitcode=42 ./valgrind_ctime_test > valgrind_ctime_test.log 2>&1
+fi
+
+# Rebuild precomputed files (if not cross-compiling).
+if [ -z "$HOST" ]
+then
+    make clean-precomp
+    make precomp
+fi
+
+# Shutdown wineserver again
+wineserver -k || true
+
+# Check that no repo files have been modified by the build.
+# (This fails for example if the precomp files need to be updated in the repo.)
+git diff --exit-code

configure.ac

@@ -5,16 +5,16 @@ AC_PREREQ([2.60])
 # backwards-compatible and therefore at most increase the minor version.
 define(_PKG_VERSION_MAJOR, 0)
 define(_PKG_VERSION_MINOR, 6)
-define(_PKG_VERSION_PATCH, 0)
-define(_PKG_VERSION_IS_RELEASE, true)
+define(_PKG_VERSION_PATCH, 1)
+define(_PKG_VERSION_IS_RELEASE, false)
 
 # The library version is based on libtool versioning of the ABI. The set of
 # rules for updating the version can be found here:
 # https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
 # All changes in experimental modules are treated as if they don't affect the
 # interface and therefore only increase the revision.
 define(_LIB_VERSION_CURRENT, 5)
-define(_LIB_VERSION_REVISION, 0)
+define(_LIB_VERSION_REVISION, 1)
 define(_LIB_VERSION_AGE, 0)
 
 AC_INIT([libsecp256k1],m4_join([.], _PKG_VERSION_MAJOR, _PKG_VERSION_MINOR, _PKG_VERSION_PATCH)m4_if(_PKG_VERSION_IS_RELEASE, [true], [], [-dev]),[https://github.com/bitcoin-core/secp256k1/issues],[libsecp256k1],[https://github.com/bitcoin-core/secp256k1])
@@ -192,6 +192,10 @@ AC_ARG_ENABLE(module_ellswift,
     AS_HELP_STRING([--enable-module-ellswift],[enable ElligatorSwift module [default=yes]]), [],
     [SECP_SET_DEFAULT([enable_module_ellswift], [yes], [yes])])
 
+AC_ARG_ENABLE(module_batch,
+    AS_HELP_STRING([--enable-module-batch],[enable batch verification module (experimental) [default=no]]), [],
+    [SECP_SET_DEFAULT([enable_module_batch], [no], [yes])])
+
 AC_ARG_ENABLE(external_default_callbacks,
     AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]), [],
     [SECP_SET_DEFAULT([enable_external_default_callbacks], [no], [no])])
@@ -254,8 +258,8 @@ fi
 print_msan_notice=no
 if test x"$enable_ctime_tests" = x"yes"; then
   SECP_MSAN_CHECK
-  # MSan on Clang >=16 reports unitialized memory in function parameters and return values, even if
-  # the uninitalized variable is never actually "used". This is called "eager" checking, and it's
+  # MSan on Clang >=16 reports uninitialized memory in function parameters and return values, even if
+  # the uninitialized variable is never actually "used". This is called "eager" checking, and it's
   # sounds like good idea for normal use of MSan. However, it yields many false positives in the
   # ctime_tests because many return values depend on secret (i.e., "uninitialized") values, and
   # we're only interested in detecting branches (which count as "uses") on secret data.
@@ -430,6 +434,10 @@ if test x"$enable_module_ecdh" = x"yes"; then
   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDH=1"
 fi
 
+if test x"$enable_module_batch" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_BATCH, 1, [Define this symbol to enable the batch verification module])
+fi
+
 if test x"$enable_external_default_callbacks" = x"yes"; then
   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_DEFAULT_CALLBACKS=1"
 fi
@@ -442,6 +450,9 @@ if test x"$enable_experimental" = x"no"; then
   if test x"$set_asm" = x"arm32"; then
     AC_MSG_ERROR([ARM32 assembly is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_batch" = x"yes"; then
+    AC_MSG_ERROR([batch verification module is experimental. Use --enable-experimental to allow.])
+  fi
 fi
 
 ###
@@ -463,6 +474,7 @@ AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x"
 AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ELLSWIFT], [test x"$enable_module_ellswift" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_BATCH], [test x"$enable_module_batch" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$enable_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm32"])
 AM_CONDITIONAL([BUILD_WINDOWS], [test "$build_windows" = "yes"])
@@ -486,6 +498,7 @@ echo "  module extrakeys        = $enable_module_extrakeys"
 echo "  module schnorrsig       = $enable_module_schnorrsig"
 echo "  module musig            = $enable_module_musig"
 echo "  module ellswift         = $enable_module_ellswift"
+echo "  module batch            = $enable_module_batch"
 echo
 echo "  asm                     = $set_asm"
 echo "  ecmult window size      = $set_ecmult_window"

doc/speedup-batch.md

@@ -0,0 +1,15 @@
+# Schnorrsig Batch Verification Speedup
+
+![Speedup over single verification](speedup-batch/schnorrsig-speedup-batch.png)
+
+# Tweak Pubkey Check Batch Verification Speedup
+
+![Speedup over single verification](speedup-batch/tweakcheck-speedup-batch.png)
+
+Build steps
+-----------
+To generate the above graphs on your local machine:
+
+    $ cd doc/speedup-batch
+    $ make
+    $ make speedup-batch.png

doc/speedup-batch/.gitignore

@@ -0,0 +1 @@
+*.dat

doc/speedup-batch/Makefile

@@ -0,0 +1,23 @@
+schnorrsig_data = schnorrsig_batch.dat schnorrsig_single.dat
+tweak_data = tweak_batch.dat tweak_single.dat
+
+bench_output.txt: bench.sh
+	SECP256K1_BENCH_ITERS=500000 ./bench.sh bench_output.txt
+
+schnorrsig_batch.dat: bench_output.txt
+	cat bench_output.txt | grep -v "schnorrsig_batch_verify_1 " | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /schnorrsig_batch_verify_([0-9]+)/, arr) {print arr[1] " " $$3}' > schnorrsig_batch.dat
+
+schnorrsig_single.dat: bench_output.txt
+	cat bench_output.txt | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /schnorrsig_verify/) {print $$3}' > schnorrsig_single.dat
+
+tweak_batch.dat: bench_output.txt
+	cat bench_output.txt | grep -v "tweak_check_batch_verify_1 " | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /tweak_check_batch_verify_([0-9]+)/, arr) {print arr[1] " " $$3}' > tweak_batch.dat
+
+tweak_single.dat: bench_output.txt
+	cat bench_output.txt | awk '{ gsub(/ /,""); print }' | awk -F, 'match($$0, /tweak_add_check/) {print $$3}' > tweak_single.dat
+
+speedup-batch.png: $(schnorrsig_data) $(tweak_data) plot.gp
+	gnuplot plot.gp
+
+clean:
+	rm *.log *.txt *.dat *.png

doc/speedup-batch/bench.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+output_file=$1
+cur_dir=$(pwd)
+
+cd ../../
+echo "HEAD: $(git rev-parse --short HEAD)" > "$cur_dir/$output_file.log"
+make clean
+./autogen.sh
+./configure --enable-experimental --enable-module-batch --enable-module-schnorrsig >> "$cur_dir/$output_file.log"
+make -j
+./bench schnorrsig > "$cur_dir/$output_file"
+./bench extrakeys >> "$cur_dir/$output_file"