Bitcoin Core  0.20.99
P2P Digital Currency
ecmult_const_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2015 Pieter Wuille, Andrew Poelstra *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef SECP256K1_ECMULT_CONST_IMPL_H
8 #define SECP256K1_ECMULT_CONST_IMPL_H
9 
10 #include "scalar.h"
11 #include "group.h"
12 #include "ecmult_const.h"
13 #include "ecmult_impl.h"
14 
15 /* This is like `ECMULT_TABLE_GET_GE` but is constant time */
16 #define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \
17  int m = 0; \
18  /* Extract the sign-bit for a constant time absolute-value. */ \
19  int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \
20  int abs_n = ((n) + mask) ^ mask; \
21  int idx_n = abs_n >> 1; \
22  secp256k1_fe neg_y; \
23  VERIFY_CHECK(((n) & 1) == 1); \
24  VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \
25  VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \
26  VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \
27  VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \
28  /* Unconditionally set r->x = (pre)[m].x. r->y = (pre)[m].y. because it's either the correct one \
29  * or will get replaced in the later iterations, this is needed to make sure `r` is initialized. */ \
30  (r)->x = (pre)[m].x; \
31  (r)->y = (pre)[m].y; \
32  for (m = 1; m < ECMULT_TABLE_SIZE(w); m++) { \
33  /* This loop is used to avoid secret data in array indices. See
34  * the comment in ecmult_gen_impl.h for rationale. */ \
35  secp256k1_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \
36  secp256k1_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \
37  } \
38  (r)->infinity = 0; \
39  secp256k1_fe_negate(&neg_y, &(r)->y, 1); \
40  secp256k1_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \
41 } while(0)
42 
43 
57 static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size) {
58  int global_sign;
59  int skew = 0;
60  int word = 0;
61 
62  /* 1 2 3 */
63  int u_last;
64  int u;
65 
66  int flip;
67  int bit;
69  int not_neg_one;
70 
71  VERIFY_CHECK(w > 0);
72  VERIFY_CHECK(size > 0);
73 
74  /* Note that we cannot handle even numbers by negating them to be odd, as is
75  * done in other implementations, since if our scalars were specified to have
76  * width < 256 for performance reasons, their negations would have width 256
77  * and we'd lose any performance benefit. Instead, we use a technique from
78  * Section 4.2 of the Okeya/Tagaki paper, which is to add either 1 (for even)
79  * or 2 (for odd) to the number we are encoding, returning a skew value indicating
80  * this, and having the caller compensate after doing the multiplication.
81  *
82  * In fact, we _do_ want to negate numbers to minimize their bit-lengths (and in
83  * particular, to ensure that the outputs from the endomorphism-split fit into
84  * 128 bits). If we negate, the parity of our number flips, inverting which of
85  * {1, 2} we want to add to the scalar when ensuring that it's odd. Further
86  * complicating things, -1 interacts badly with `secp256k1_scalar_cadd_bit` and
87  * we need to special-case it in this logic. */
88  flip = secp256k1_scalar_is_high(scalar);
89  /* We add 1 to even numbers, 2 to odd ones, noting that negation flips parity */
90  bit = flip ^ !secp256k1_scalar_is_even(scalar);
91  /* We check for negative one, since adding 2 to it will cause an overflow */
92  secp256k1_scalar_negate(&s, scalar);
93  not_neg_one = !secp256k1_scalar_is_one(&s);
94  s = *scalar;
95  secp256k1_scalar_cadd_bit(&s, bit, not_neg_one);
96  /* If we had negative one, flip == 1, s.d[0] == 0, bit == 1, so caller expects
97  * that we added two to it and flipped it. In fact for -1 these operations are
98  * identical. We only flipped, but since skewing is required (in the sense that
99  * the skew must be 1 or 2, never zero) and flipping is not, we need to change
100  * our flags to claim that we only skewed. */
101  global_sign = secp256k1_scalar_cond_negate(&s, flip);
102  global_sign *= not_neg_one * 2 - 1;
103  skew = 1 << bit;
104 
105  /* 4 */
106  u_last = secp256k1_scalar_shr_int(&s, w);
107  do {
108  int sign;
109  int even;
110 
111  /* 4.1 4.4 */
112  u = secp256k1_scalar_shr_int(&s, w);
113  /* 4.2 */
114  even = ((u & 1) == 0);
115  sign = 2 * (u_last > 0) - 1;
116  u += sign * even;
117  u_last -= sign * even * (1 << w);
118 
119  /* 4.3, adapted for global sign change */
120  wnaf[word++] = u_last * global_sign;
121 
122  u_last = u;
123  } while (word * w < size);
124  wnaf[word] = u * global_sign;
125 
127  VERIFY_CHECK(word == WNAF_SIZE_BITS(size, w));
128  return skew;
129 }
130 
131 static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *scalar, int size) {
133  secp256k1_ge tmpa;
134  secp256k1_fe Z;
135 
136  int skew_1;
137 #ifdef USE_ENDOMORPHISM
139  int wnaf_lam[1 + WNAF_SIZE(WINDOW_A - 1)];
140  int skew_lam;
141  secp256k1_scalar q_1, q_lam;
142 #endif
143  int wnaf_1[1 + WNAF_SIZE(WINDOW_A - 1)];
144 
145  int i;
146 
147  /* build wnaf representation for q. */
148  int rsize = size;
149 #ifdef USE_ENDOMORPHISM
150  if (size > 128) {
151  rsize = 128;
152  /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */
153  secp256k1_scalar_split_lambda(&q_1, &q_lam, scalar);
154  skew_1 = secp256k1_wnaf_const(wnaf_1, &q_1, WINDOW_A - 1, 128);
155  skew_lam = secp256k1_wnaf_const(wnaf_lam, &q_lam, WINDOW_A - 1, 128);
156  } else
157 #endif
158  {
159  skew_1 = secp256k1_wnaf_const(wnaf_1, scalar, WINDOW_A - 1, size);
160 #ifdef USE_ENDOMORPHISM
161  skew_lam = 0;
162 #endif
163  }
164 
165  /* Calculate odd multiples of a.
166  * All multiples are brought to the same Z 'denominator', which is stored
167  * in Z. Due to secp256k1' isomorphism we can do all operations pretending
168  * that the Z coordinate was 1, use affine addition formulae, and correct
169  * the Z coordinate of the result once at the end.
170  */
171  secp256k1_gej_set_ge(r, a);
173  for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
174  secp256k1_fe_normalize_weak(&pre_a[i].y);
175  }
176 #ifdef USE_ENDOMORPHISM
177  if (size > 128) {
178  for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
179  secp256k1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]);
180  }
181 
182  }
183 #endif
184 
185  /* first loop iteration (separated out so we can directly set r, rather
186  * than having it start at infinity, get doubled several times, then have
187  * its new value added to it) */
188  i = wnaf_1[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)];
189  VERIFY_CHECK(i != 0);
190  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, i, WINDOW_A);
191  secp256k1_gej_set_ge(r, &tmpa);
192 #ifdef USE_ENDOMORPHISM
193  if (size > 128) {
194  i = wnaf_lam[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)];
195  VERIFY_CHECK(i != 0);
196  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, i, WINDOW_A);
197  secp256k1_gej_add_ge(r, r, &tmpa);
198  }
199 #endif
200  /* remaining loop iterations */
201  for (i = WNAF_SIZE_BITS(rsize, WINDOW_A - 1) - 1; i >= 0; i--) {
202  int n;
203  int j;
204  for (j = 0; j < WINDOW_A - 1; ++j) {
206  }
207 
208  n = wnaf_1[i];
209  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, n, WINDOW_A);
210  VERIFY_CHECK(n != 0);
211  secp256k1_gej_add_ge(r, r, &tmpa);
212 #ifdef USE_ENDOMORPHISM
213  if (size > 128) {
214  n = wnaf_lam[i];
215  ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, n, WINDOW_A);
216  VERIFY_CHECK(n != 0);
217  secp256k1_gej_add_ge(r, r, &tmpa);
218  }
219 #endif
220  }
221 
222  secp256k1_fe_mul(&r->z, &r->z, &Z);
223 
224  {
225  /* Correct for wNAF skew */
226  secp256k1_ge correction = *a;
227  secp256k1_ge_storage correction_1_stor;
228 #ifdef USE_ENDOMORPHISM
229  secp256k1_ge_storage correction_lam_stor;
230 #endif
231  secp256k1_ge_storage a2_stor;
232  secp256k1_gej tmpj;
233  secp256k1_gej_set_ge(&tmpj, &correction);
234  secp256k1_gej_double_var(&tmpj, &tmpj, NULL);
235  secp256k1_ge_set_gej(&correction, &tmpj);
236  secp256k1_ge_to_storage(&correction_1_stor, a);
237 #ifdef USE_ENDOMORPHISM
238  if (size > 128) {
239  secp256k1_ge_to_storage(&correction_lam_stor, a);
240  }
241 #endif
242  secp256k1_ge_to_storage(&a2_stor, &correction);
243 
244  /* For odd numbers this is 2a (so replace it), for even ones a (so no-op) */
245  secp256k1_ge_storage_cmov(&correction_1_stor, &a2_stor, skew_1 == 2);
246 #ifdef USE_ENDOMORPHISM
247  if (size > 128) {
248  secp256k1_ge_storage_cmov(&correction_lam_stor, &a2_stor, skew_lam == 2);
249  }
250 #endif
251 
252  /* Apply the correction */
253  secp256k1_ge_from_storage(&correction, &correction_1_stor);
254  secp256k1_ge_neg(&correction, &correction);
255  secp256k1_gej_add_ge(r, r, &correction);
256 
257 #ifdef USE_ENDOMORPHISM
258  if (size > 128) {
259  secp256k1_ge_from_storage(&correction, &correction_lam_stor);
260  secp256k1_ge_neg(&correction, &correction);
261  secp256k1_ge_mul_lambda(&correction, &correction);
262  secp256k1_gej_add_ge(r, r, &correction);
263  }
264 #endif
265  }
266 }
267 
268 #endif /* SECP256K1_ECMULT_CONST_IMPL_H */
#define VERIFY_CHECK(cond)
Definition: util.h:68
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult_impl.h:71
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
static void secp256k1_ecmult_odd_multiples_table_globalz_windowa(secp256k1_ge *pre, secp256k1_fe *globalz, const secp256k1_gej *a)
Fill a table &#39;pre&#39; with precomputed odd multiples of a.
Definition: ecmult_impl.h:147
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *scalar, int size)
#define ECMULT_CONST_TABLE_GET_GE(r, pre, n, w)
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:67
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don&#39;t fully normalize.
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_gej_double_nonzero(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a, a cannot be infinity.
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
#define WINDOW_A
Definition: ecmult_impl.h:34
secp256k1_fe z
Definition: group.h:27
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:68
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.