ecmult__gen__compute__table__impl_8h_source.html

/***********************************************************************

 * Copyright (c) Pieter Wuille, Gregory Maxwell, Peter Dettman         *

 * Distributed under the MIT software license, see the accompanying    *

 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*

 ***********************************************************************/


#ifndef SECP256K1_ECMULT_GEN_COMPUTE_TABLE_IMPL_H

#define SECP256K1_ECMULT_GEN_COMPUTE_TABLE_IMPL_H


#include "ecmult_gen_compute_table.h"

#include "group_impl.h"

#include "field_impl.h"

#include "scalar_impl.h"

#include "ecmult_gen.h"

#include "util.h"


static void secp256k1_ecmult_gen_compute_table(secp256k1_ge_storage* table, const secp256k1_ge* gen, int blocks, int teeth, int spacing) {

    size_t points = ((size_t)1) << (teeth - 1);

    size_t points_total = points * blocks;

    secp256k1_ge* prec = checked_malloc(&default_error_callback, points_total * sizeof(*prec));

    secp256k1_gej* ds = checked_malloc(&default_error_callback, teeth * sizeof(*ds));

    secp256k1_gej* vs = checked_malloc(&default_error_callback, points_total * sizeof(*vs));

    secp256k1_gej u;

    size_t vs_pos = 0;

    secp256k1_scalar half;

    int block, i;


    VERIFY_CHECK(points_total > 0);


    /* u is the running power of two times gen we're working with, initially gen/2. */

    secp256k1_scalar_half(&half, &secp256k1_scalar_one);

    secp256k1_gej_set_infinity(&u);

    for (i = 255; i >= 0; --i) {

        /* Use a very simple multiplication ladder to avoid dependency on ecmult. */

        secp256k1_gej_double_var(&u, &u, NULL);

        if (secp256k1_scalar_get_bits_limb32(&half, i, 1)) {

            secp256k1_gej_add_ge_var(&u, &u, gen, NULL);

        }

    }

#ifdef VERIFY

    {

        /* Verify that u*2 = gen. */

        secp256k1_gej double_u;

        secp256k1_gej_double_var(&double_u, &u, NULL);

        VERIFY_CHECK(secp256k1_gej_eq_ge_var(&double_u, gen));

    }

#endif


    for (block = 0; block < blocks; ++block) {

        int tooth;

        /* Here u = 2^(block*teeth*spacing) * gen/2. */

        secp256k1_gej sum;

        secp256k1_gej_set_infinity(&sum);

        for (tooth = 0; tooth < teeth; ++tooth) {

            /* Here u = 2^((block*teeth + tooth)*spacing) * gen/2. */

            /* Make sum = sum(2^((block*teeth + t)*spacing), t=0..tooth) * gen/2. */

            secp256k1_gej_add_var(&sum, &sum, &u, NULL);

            /* Make u = 2^((block*teeth + tooth)*spacing + 1) * gen/2. */

            secp256k1_gej_double_var(&u, &u, NULL);

            /* Make ds[tooth] = u = 2^((block*teeth + tooth)*spacing + 1) * gen/2. */

            ds[tooth] = u;

            /* Make u = 2^((block*teeth + tooth + 1)*spacing) * gen/2, unless at the end. */

            if (block + tooth != blocks + teeth - 2) {

                int bit_off;

                for (bit_off = 1; bit_off < spacing; ++bit_off) {

                    secp256k1_gej_double_var(&u, &u, NULL);

                }

            }

        }

        /* Now u = 2^((block*teeth + teeth)*spacing) * gen/2

         *       = 2^((block+1)*teeth*spacing) * gen/2       */


        /* Next, compute the table entries for block number block in Jacobian coordinates.

         * The entries will occupy vs[block*points + i] for i=0..points-1.

         * We start by computing the first (i=0) value corresponding to all summed

         * powers of two times G being negative. */

        secp256k1_gej_neg(&vs[vs_pos++], &sum);

        /* And then teeth-1 times "double" the range of i values for which the table

         * is computed: in each iteration, double the table by taking an existing

         * table entry and adding ds[tooth]. */

        for (tooth = 0; tooth < teeth - 1; ++tooth) {

            size_t stride = ((size_t)1) << tooth;

            size_t index;

            for (index = 0; index < stride; ++index, ++vs_pos) {

                secp256k1_gej_add_var(&vs[vs_pos], &vs[vs_pos - stride], &ds[tooth], NULL);

            }

        }

    }

    VERIFY_CHECK(vs_pos == points_total);


    /* Convert all points simultaneously from secp256k1_gej to secp256k1_ge. */

    secp256k1_ge_set_all_gej_var(prec, vs, points_total);

    /* Convert all points from secp256k1_ge to secp256k1_ge_storage output. */

    for (block = 0; block < blocks; ++block) {

        size_t index;

        for (index = 0; index < points; ++index) {

            VERIFY_CHECK(!secp256k1_ge_is_infinity(&prec[block * points + index]));

            secp256k1_ge_to_storage(&table[block * points + index], &prec[block * points + index]);

        }

    }


    /* Free memory. */

    free(vs);

    free(ds);

    free(prec);

}


#endif /* SECP256K1_ECMULT_GEN_COMPUTE_TABLE_IMPL_H */

ecmult_gen.h

ecmult_gen_compute_table.h

secp256k1_ecmult_gen_compute_table
static void secp256k1_ecmult_gen_compute_table(secp256k1_ge_storage *table, const secp256k1_ge *gen, int blocks, int teeth, int spacing)
Definition: ecmult_gen_compute_table_impl.h:17

sum
volatile double sum
Definition: examples.cpp:10

field_impl.h

secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.

secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.

secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).

secp256k1_gej_eq_ge_var
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.

secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.

secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.

secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).

secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.

secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)

group_impl.h

secp256k1_scalar_half
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.

secp256k1_scalar_get_bits_limb32
static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.

scalar_impl.h

secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27

default_error_callback
static const secp256k1_callback default_error_callback
Definition: util.h:117

VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:159

checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:162

secp256k1_ge_storage
Definition: group.h:38

secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16

secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28

secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13

util.h