Corrections are to the median block times, which were generated by subtracting
CBlockIndex::nMedianTimeSpan / 2 from the block height and then multiplying by
the target spacing. GetMedianTimePast() takes an array sorted by std::sort() and
returns element CBlockIndex::nMedianTimeSpan / 2, meaning that if
CBlockIndex::nMedianTimeSpan is odd (which it is), there is an out-by-one error
in the subtraction.
Add ability for node to reject tx from mempool by number of tx inputs
Implement short-term solution described in #2343 so that users can respond promptly to critical short-term problems caused by quadratic validation scaling, such as the getblocktemplate latency, block propagation latency, and mempool size inflation issues described in #2333.
Switch to libsecp256k1-based validation for ECDSA
Cherry-picked from the following upstream PRs:
- bitcoin/bitcoin#6983
- bitcoin/bitcoin#6954
Part of #2333.
Additional well-formedness check for G2 elements
libsnark currently checks that G<sub>1</sub> and G<sub>2</sub> elements are well-formed by ensuring that they satisfy their respective curve equations, and although this is enough for G<sub>1</sub> (which is instantiated as an order r curve E/F<sub>p</sub>: y^2 = x^3 + b), G<sub>2</sub> is the order r *subgroup* of the composite order r(2q-r) curve E'/Fp<sup>2</sup>: y^2 = x^3 + b/e constructed via a sextic twisting isomorphism. This means we need to ensure these points are order r as well.
None of the proofs on the Zcash blockchain violate this check, and it may not even be possible for them to violate this check (bilinearity is not preserved). Let's be cautious and do it anyway.
Isolate verification to a ProofVerifier context object that allows verification behavior to be tuned by the caller.
This is an alternative foundation for #1892, i.e., #1892 will have to be changed if this PR is accepted.
I think this is a safer approach because it allows us to isolate verification behavior to a single object. This will come in handy when @arielgabizon finishes the batching code.
Improve joinsplit diagnostics
I don't advocate merging this for the hotfix release (to fix#1779) but this PR can be used to diagnose the real issue and should be merged ASAP afterward.
~I still need to add tests for `last()` and `element()` though.~ Done.
