Bitcoin Core  0.20.99
P2P Digital Currency
ecmult_const_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2015 Pieter Wuille, Andrew Poelstra *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef SECP256K1_ECMULT_CONST_IMPL_H
8 #define SECP256K1_ECMULT_CONST_IMPL_H
9 
10 #include "scalar.h"
11 #include "group.h"
12 #include "ecmult_const.h"
13 #include "ecmult_impl.h"
14 
15 /* This is like `ECMULT_TABLE_GET_GE` but is constant time */
16 #define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \
17  int m = 0; \
18  /* Extract the sign-bit for a constant time absolute-value. */ \
19  int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \
20  int abs_n = ((n) + mask) ^ mask; \
21  int idx_n = abs_n >> 1; \
22  secp256k1_fe neg_y; \
23  VERIFY_CHECK(((n) & 1) == 1); \
24  VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \
25  VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \
26  VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \
27  VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \
28  /* Unconditionally set r->x = (pre)[m].x. r->y = (pre)[m].y. because it's either the correct one \
29  * or will get replaced in the later iterations, this is needed to make sure `r` is initialized. */ \
30  (r)->x = (pre)[m].x; \
31  (r)->y = (pre)[m].y; \
32  for (m = 1; m < ECMULT_TABLE_SIZE(w); m++) { \
33  /* This loop is used to avoid secret data in array indices. See
34  * the comment in ecmult_gen_impl.h for rationale. */ \
35  secp256k1_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \
36  secp256k1_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \
37  } \
38  (r)->infinity = 0; \
39  secp256k1_fe_negate(&neg_y, &(r)->y, 1); \
40  secp256k1_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \
41 } while(0)
42 
43 
57 static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size) {
58  int global_sign;
59  int skew = 0;
60  int word = 0;
61 
62  /* 1 2 3 */
63  int u_last;
64  int u;
65 
66  int flip;
67  int bit;
69  int not_neg_one;
70 
71  VERIFY_CHECK(w > 0);
72  VERIFY_CHECK(size > 0);
73 
74  /* Note that we cannot handle even numbers by negating them to be odd, as is
75  * done in other implementations, since if our scalars were specified to have
76  * width < 256 for performance reasons, their negations would have width 256
77  * and we'd lose any performance benefit. Instead, we use a technique from
78  * Section 4.2 of the Okeya/Tagaki paper, which is to add either 1 (for even)
79  * or 2 (for odd) to the number we are encoding, returning a skew value indicating
80  * this, and having the caller compensate after doing the multiplication.
81  *
82  * In fact, we _do_ want to negate numbers to minimize their bit-lengths (and in
83  * particular, to ensure that the outputs from the endomorphism-split fit into
84  * 128 bits). If we negate, the parity of our number flips, inverting which of
85  * {1, 2} we want to add to the scalar when ensuring that it's odd. Further
86  * complicating things, -1 interacts badly with `secp256k1_scalar_cadd_bit` and
87  * we need to special-case it in this logic. */
88  flip = secp256k1_scalar_is_high(scalar);
89  /* We add 1 to even numbers, 2 to odd ones, noting that negation flips parity */
90  bit = flip ^ !secp256k1_scalar_is_even(scalar);
91  /* We check for negative one, since adding 2 to it will cause an overflow */
92  secp256k1_scalar_negate(&s, scalar);
93  not_neg_one = !secp256k1_scalar_is_one(&s);
94  s = *scalar;
95  secp256k1_scalar_cadd_bit(&s, bit, not_neg_one);
96  /* If we had negative one, flip == 1, s.d[0] == 0, bit == 1, so caller expects
97  * that we added two to it and flipped it. In fact for -1 these operations are
98  * identical. We only flipped, but since skewing is required (in the sense that
99  * the skew must be 1 or 2, never zero) and flipping is not, we need to change
100  * our flags to claim that we only skewed. */
101  global_sign = secp256k1_scalar_cond_negate(&s, flip);
102  global_sign *= not_neg_one * 2 - 1;
103  skew = 1 << bit;
104 
105  /* 4 */
106  u_last = secp256k1_scalar_shr_int(&s, w);
107  do {
108  int even;
109 
110  /* 4.1 4.4 */
111  u = secp256k1_scalar_shr_int(&s, w);
112  /* 4.2 */
113  even = ((u & 1) == 0);
114  /* In contrast to the original algorithm, u_last is always > 0 and
115  * therefore we do not need to check its sign. In particular, it's easy
116  * to see that u_last is never < 0 because u is never < 0. Moreover,
117  * u_last is never = 0 because u is never even after a loop
118  * iteration. The same holds analogously for the initial value of
119  * u_last (in the first loop iteration). */
120  VERIFY_CHECK(u_last > 0);
121  VERIFY_CHECK((u_last & 1) == 1);
122  u += even;
123  u_last -= even * (1 << w);
124 
125  /* 4.3, adapted for global sign change */
126  wnaf[word++] = u_last * global_sign;
127 
128  u_last = u;
129  } while (word * w < size);
130  wnaf[word] = u * global_sign;
131 
133  VERIFY_CHECK(word == WNAF_SIZE_BITS(size, w));
134  return skew;
135 }
136 
137 static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *scalar, int size) {
139  secp256k1_ge tmpa;
140  secp256k1_fe Z;
141 
142  int skew_1;
144  int wnaf_lam[1 + WNAF_SIZE(WINDOW_A - 1)];
145  int skew_lam;
146  secp256k1_scalar q_1, q_lam;
147  int wnaf_1[1 + WNAF_SIZE(WINDOW_A - 1)];
148 
149  int i;
150 
151  /* build wnaf representation for q. */
152  int rsize = size;
153  if (size > 128) {
154  rsize = 128;
155  /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */
156  secp256k1_scalar_split_lambda(&q_1, &q_lam, scalar);
157  skew_1 = secp256k1_wnaf_const(wnaf_1, &q_1, WINDOW_A - 1, 128);
158  skew_lam = secp256k1_wnaf_const(wnaf_lam, &q_lam, WINDOW_A - 1, 128);
159  } else
160  {
161  skew_1 = secp256k1_wnaf_const(wnaf_1, scalar, WINDOW_A - 1, size);
162  skew_lam = 0;
163  }
164 
165  /* Calculate odd multiples of a.
166  * All multiples are brought to the same Z 'denominator', which is stored
167  * in Z. Due to secp256k1' isomorphism we can do all operations pretending
168  * that the Z coordinate was 1, use affine addition formulae, and correct
169  * the Z coordinate of the result once at the end.
170  */
171  secp256k1_gej_set_ge(r, a);
173  for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
174  secp256k1_fe_normalize_weak(&pre_a[i].y);
175  }
176  if (size > 128) {
177  for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
178  secp256k1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]);
179  }
180 
181  }
182 
183  /* first loop iteration (separated out so we can directly set r, rather
184  * than having it start at infinity, get doubled several times, then have
185  * its new value added to it) */
186  i = wnaf_1[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)];
187  VERIFY_CHECK(i != 0);
188  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, i, WINDOW_A);
189  secp256k1_gej_set_ge(r, &tmpa);
190  if (size > 128) {
191  i = wnaf_lam[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)];
192  VERIFY_CHECK(i != 0);
193  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, i, WINDOW_A);
194  secp256k1_gej_add_ge(r, r, &tmpa);
195  }
196  /* remaining loop iterations */
197  for (i = WNAF_SIZE_BITS(rsize, WINDOW_A - 1) - 1; i >= 0; i--) {
198  int n;
199  int j;
200  for (j = 0; j < WINDOW_A - 1; ++j) {
201  secp256k1_gej_double(r, r);
202  }
203 
204  n = wnaf_1[i];
205  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, n, WINDOW_A);
206  VERIFY_CHECK(n != 0);
207  secp256k1_gej_add_ge(r, r, &tmpa);
208  if (size > 128) {
209  n = wnaf_lam[i];
210  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, n, WINDOW_A);
211  VERIFY_CHECK(n != 0);
212  secp256k1_gej_add_ge(r, r, &tmpa);
213  }
214  }
215 
216  secp256k1_fe_mul(&r->z, &r->z, &Z);
217 
218  {
219  /* Correct for wNAF skew */
220  secp256k1_ge correction = *a;
221  secp256k1_ge_storage correction_1_stor;
222  secp256k1_ge_storage correction_lam_stor;
223  secp256k1_ge_storage a2_stor;
224  secp256k1_gej tmpj;
225  secp256k1_gej_set_ge(&tmpj, &correction);
226  secp256k1_gej_double_var(&tmpj, &tmpj, NULL);
227  secp256k1_ge_set_gej(&correction, &tmpj);
228  secp256k1_ge_to_storage(&correction_1_stor, a);
229  if (size > 128) {
230  secp256k1_ge_to_storage(&correction_lam_stor, a);
231  }
232  secp256k1_ge_to_storage(&a2_stor, &correction);
233 
234  /* For odd numbers this is 2a (so replace it), for even ones a (so no-op) */
235  secp256k1_ge_storage_cmov(&correction_1_stor, &a2_stor, skew_1 == 2);
236  if (size > 128) {
237  secp256k1_ge_storage_cmov(&correction_lam_stor, &a2_stor, skew_lam == 2);
238  }
239 
240  /* Apply the correction */
241  secp256k1_ge_from_storage(&correction, &correction_1_stor);
242  secp256k1_ge_neg(&correction, &correction);
243  secp256k1_gej_add_ge(r, r, &correction);
244 
245  if (size > 128) {
246  secp256k1_ge_from_storage(&correction, &correction_lam_stor);
247  secp256k1_ge_neg(&correction, &correction);
248  secp256k1_ge_mul_lambda(&correction, &correction);
249  secp256k1_gej_add_ge(r, r, &correction);
250  }
251  }
252 }
253 
254 #endif /* SECP256K1_ECMULT_CONST_IMPL_H */
#define VERIFY_CHECK(cond)
Definition: util.h:68
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult_impl.h:67
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_ecmult_odd_multiples_table_globalz_windowa(secp256k1_ge *pre, secp256k1_fe *globalz, const secp256k1_gej *a)
Fill a table &#39;pre&#39; with precomputed odd multiples of a.
Definition: ecmult_impl.h:135
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *scalar, int size)
#define ECMULT_CONST_TABLE_GET_GE(r, pre, n, w)
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:63
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don&#39;t fully normalize.
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast...
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
#define WINDOW_A
Definition: ecmult_impl.h:34
secp256k1_fe z
Definition: group.h:27
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:64
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.