Bitcoin Core  0.20.99
P2P Digital Currency
scalar_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2014 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef SECP256K1_SCALAR_IMPL_H
8 #define SECP256K1_SCALAR_IMPL_H
9 
10 #include "scalar.h"
11 #include "util.h"
12 
13 #if defined HAVE_CONFIG_H
14 #include "libsecp256k1-config.h"
15 #endif
16 
17 #if defined(EXHAUSTIVE_TEST_ORDER)
18 #include "scalar_low_impl.h"
19 #elif defined(USE_SCALAR_4X64)
20 #include "scalar_4x64_impl.h"
21 #elif defined(USE_SCALAR_8X32)
22 #include "scalar_8x32_impl.h"
23 #else
24 #error "Please select scalar implementation"
25 #endif
26 
27 static const secp256k1_scalar secp256k1_scalar_one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
28 static const secp256k1_scalar secp256k1_scalar_zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
29 
30 #ifndef USE_NUM_NONE
32  unsigned char c[32];
34  secp256k1_num_set_bin(r, c, 32);
35 }
36 
39 #if defined(EXHAUSTIVE_TEST_ORDER)
40  static const unsigned char order[32] = {
41  0,0,0,0,0,0,0,0,
42  0,0,0,0,0,0,0,0,
43  0,0,0,0,0,0,0,0,
44  0,0,0,0,0,0,0,EXHAUSTIVE_TEST_ORDER
45  };
46 #else
47  static const unsigned char order[32] = {
48  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
49  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
50  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
51  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
52  };
53 #endif
54  secp256k1_num_set_bin(r, order, 32);
55 }
56 #endif
57 
58 static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin) {
59  int overflow;
60  secp256k1_scalar_set_b32(r, bin, &overflow);
61  return (!overflow) & (!secp256k1_scalar_is_zero(r));
62 }
63 
65 #if defined(EXHAUSTIVE_TEST_ORDER)
66  int i;
67  *r = 0;
68  for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++)
69  if ((i * *x) % EXHAUSTIVE_TEST_ORDER == 1)
70  *r = i;
71  /* If this VERIFY_CHECK triggers we were given a noninvertible scalar (and thus
72  * have a composite group order; fix it in exhaustive_tests.c). */
73  VERIFY_CHECK(*r != 0);
74 }
75 #else
77  int i;
78  /* First compute xN as x ^ (2^N - 1) for some values of N,
79  * and uM as x ^ M for some values of M. */
80  secp256k1_scalar x2, x3, x6, x8, x14, x28, x56, x112, x126;
81  secp256k1_scalar u2, u5, u9, u11, u13;
82 
83  secp256k1_scalar_sqr(&u2, x);
84  secp256k1_scalar_mul(&x2, &u2, x);
85  secp256k1_scalar_mul(&u5, &u2, &x2);
86  secp256k1_scalar_mul(&x3, &u5, &u2);
87  secp256k1_scalar_mul(&u9, &x3, &u2);
88  secp256k1_scalar_mul(&u11, &u9, &u2);
89  secp256k1_scalar_mul(&u13, &u11, &u2);
90 
91  secp256k1_scalar_sqr(&x6, &u13);
92  secp256k1_scalar_sqr(&x6, &x6);
93  secp256k1_scalar_mul(&x6, &x6, &u11);
94 
95  secp256k1_scalar_sqr(&x8, &x6);
96  secp256k1_scalar_sqr(&x8, &x8);
97  secp256k1_scalar_mul(&x8, &x8, &x2);
98 
99  secp256k1_scalar_sqr(&x14, &x8);
100  for (i = 0; i < 5; i++) {
101  secp256k1_scalar_sqr(&x14, &x14);
102  }
103  secp256k1_scalar_mul(&x14, &x14, &x6);
104 
105  secp256k1_scalar_sqr(&x28, &x14);
106  for (i = 0; i < 13; i++) {
107  secp256k1_scalar_sqr(&x28, &x28);
108  }
109  secp256k1_scalar_mul(&x28, &x28, &x14);
110 
111  secp256k1_scalar_sqr(&x56, &x28);
112  for (i = 0; i < 27; i++) {
113  secp256k1_scalar_sqr(&x56, &x56);
114  }
115  secp256k1_scalar_mul(&x56, &x56, &x28);
116 
117  secp256k1_scalar_sqr(&x112, &x56);
118  for (i = 0; i < 55; i++) {
119  secp256k1_scalar_sqr(&x112, &x112);
120  }
121  secp256k1_scalar_mul(&x112, &x112, &x56);
122 
123  secp256k1_scalar_sqr(&x126, &x112);
124  for (i = 0; i < 13; i++) {
125  secp256k1_scalar_sqr(&x126, &x126);
126  }
127  secp256k1_scalar_mul(&x126, &x126, &x14);
128 
129  /* Then accumulate the final result (t starts at x126). */
130  t = &x126;
131  for (i = 0; i < 3; i++) {
132  secp256k1_scalar_sqr(t, t);
133  }
134  secp256k1_scalar_mul(t, t, &u5); /* 101 */
135  for (i = 0; i < 4; i++) { /* 0 */
136  secp256k1_scalar_sqr(t, t);
137  }
138  secp256k1_scalar_mul(t, t, &x3); /* 111 */
139  for (i = 0; i < 4; i++) { /* 0 */
140  secp256k1_scalar_sqr(t, t);
141  }
142  secp256k1_scalar_mul(t, t, &u5); /* 101 */
143  for (i = 0; i < 5; i++) { /* 0 */
144  secp256k1_scalar_sqr(t, t);
145  }
146  secp256k1_scalar_mul(t, t, &u11); /* 1011 */
147  for (i = 0; i < 4; i++) {
148  secp256k1_scalar_sqr(t, t);
149  }
150  secp256k1_scalar_mul(t, t, &u11); /* 1011 */
151  for (i = 0; i < 4; i++) { /* 0 */
152  secp256k1_scalar_sqr(t, t);
153  }
154  secp256k1_scalar_mul(t, t, &x3); /* 111 */
155  for (i = 0; i < 5; i++) { /* 00 */
156  secp256k1_scalar_sqr(t, t);
157  }
158  secp256k1_scalar_mul(t, t, &x3); /* 111 */
159  for (i = 0; i < 6; i++) { /* 00 */
160  secp256k1_scalar_sqr(t, t);
161  }
162  secp256k1_scalar_mul(t, t, &u13); /* 1101 */
163  for (i = 0; i < 4; i++) { /* 0 */
164  secp256k1_scalar_sqr(t, t);
165  }
166  secp256k1_scalar_mul(t, t, &u5); /* 101 */
167  for (i = 0; i < 3; i++) {
168  secp256k1_scalar_sqr(t, t);
169  }
170  secp256k1_scalar_mul(t, t, &x3); /* 111 */
171  for (i = 0; i < 5; i++) { /* 0 */
172  secp256k1_scalar_sqr(t, t);
173  }
174  secp256k1_scalar_mul(t, t, &u9); /* 1001 */
175  for (i = 0; i < 6; i++) { /* 000 */
176  secp256k1_scalar_sqr(t, t);
177  }
178  secp256k1_scalar_mul(t, t, &u5); /* 101 */
179  for (i = 0; i < 10; i++) { /* 0000000 */
180  secp256k1_scalar_sqr(t, t);
181  }
182  secp256k1_scalar_mul(t, t, &x3); /* 111 */
183  for (i = 0; i < 4; i++) { /* 0 */
184  secp256k1_scalar_sqr(t, t);
185  }
186  secp256k1_scalar_mul(t, t, &x3); /* 111 */
187  for (i = 0; i < 9; i++) { /* 0 */
188  secp256k1_scalar_sqr(t, t);
189  }
190  secp256k1_scalar_mul(t, t, &x8); /* 11111111 */
191  for (i = 0; i < 5; i++) { /* 0 */
192  secp256k1_scalar_sqr(t, t);
193  }
194  secp256k1_scalar_mul(t, t, &u9); /* 1001 */
195  for (i = 0; i < 6; i++) { /* 00 */
196  secp256k1_scalar_sqr(t, t);
197  }
198  secp256k1_scalar_mul(t, t, &u11); /* 1011 */
199  for (i = 0; i < 4; i++) {
200  secp256k1_scalar_sqr(t, t);
201  }
202  secp256k1_scalar_mul(t, t, &u13); /* 1101 */
203  for (i = 0; i < 5; i++) {
204  secp256k1_scalar_sqr(t, t);
205  }
206  secp256k1_scalar_mul(t, t, &x2); /* 11 */
207  for (i = 0; i < 6; i++) { /* 00 */
208  secp256k1_scalar_sqr(t, t);
209  }
210  secp256k1_scalar_mul(t, t, &u13); /* 1101 */
211  for (i = 0; i < 10; i++) { /* 000000 */
212  secp256k1_scalar_sqr(t, t);
213  }
214  secp256k1_scalar_mul(t, t, &u13); /* 1101 */
215  for (i = 0; i < 4; i++) {
216  secp256k1_scalar_sqr(t, t);
217  }
218  secp256k1_scalar_mul(t, t, &u9); /* 1001 */
219  for (i = 0; i < 6; i++) { /* 00000 */
220  secp256k1_scalar_sqr(t, t);
221  }
222  secp256k1_scalar_mul(t, t, x); /* 1 */
223  for (i = 0; i < 8; i++) { /* 00 */
224  secp256k1_scalar_sqr(t, t);
225  }
226  secp256k1_scalar_mul(r, t, &x6); /* 111111 */
227 }
228 
230  return !(a->d[0] & 1);
231 }
232 #endif
233 
235 #if defined(USE_SCALAR_INV_BUILTIN)
237 #elif defined(USE_SCALAR_INV_NUM)
238  unsigned char b[32];
239  secp256k1_num n, m;
240  secp256k1_scalar t = *x;
242  secp256k1_num_set_bin(&n, b, 32);
244  secp256k1_num_mod_inverse(&n, &n, &m);
245  secp256k1_num_get_bin(b, 32, &n);
246  secp256k1_scalar_set_b32(r, b, NULL);
247  /* Verify that the inverse was computed correctly, without GMP code. */
248  secp256k1_scalar_mul(&t, &t, r);
250 #else
251 #error "Please select scalar inverse implementation"
252 #endif
253 }
254 
255 #ifdef USE_ENDOMORPHISM
256 #if defined(EXHAUSTIVE_TEST_ORDER)
257 
263 static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
264  *r2 = (*a + 5) % EXHAUSTIVE_TEST_ORDER;
266 }
267 #else
268 
306 static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
307  secp256k1_scalar c1, c2;
308  static const secp256k1_scalar minus_lambda = SECP256K1_SCALAR_CONST(
309  0xAC9C52B3UL, 0x3FA3CF1FUL, 0x5AD9E3FDUL, 0x77ED9BA4UL,
310  0xA880B9FCUL, 0x8EC739C2UL, 0xE0CFC810UL, 0xB51283CFUL
311  );
312  static const secp256k1_scalar minus_b1 = SECP256K1_SCALAR_CONST(
313  0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL,
314  0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C3UL
315  );
316  static const secp256k1_scalar minus_b2 = SECP256K1_SCALAR_CONST(
317  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
318  0x8A280AC5UL, 0x0774346DUL, 0xD765CDA8UL, 0x3DB1562CUL
319  );
320  static const secp256k1_scalar g1 = SECP256K1_SCALAR_CONST(
321  0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00003086UL,
322  0xD221A7D4UL, 0x6BCDE86CUL, 0x90E49284UL, 0xEB153DABUL
323  );
324  static const secp256k1_scalar g2 = SECP256K1_SCALAR_CONST(
325  0x00000000UL, 0x00000000UL, 0x00000000UL, 0x0000E443UL,
326  0x7ED6010EUL, 0x88286F54UL, 0x7FA90ABFUL, 0xE4C42212UL
327  );
328  VERIFY_CHECK(r1 != a);
329  VERIFY_CHECK(r2 != a);
330  /* these _var calls are constant time since the shift amount is constant */
331  secp256k1_scalar_mul_shift_var(&c1, a, &g1, 272);
332  secp256k1_scalar_mul_shift_var(&c2, a, &g2, 272);
333  secp256k1_scalar_mul(&c1, &c1, &minus_b1);
334  secp256k1_scalar_mul(&c2, &c2, &minus_b2);
335  secp256k1_scalar_add(r2, &c1, &c2);
336  secp256k1_scalar_mul(r1, r2, &minus_lambda);
337  secp256k1_scalar_add(r1, r1, a);
338 }
339 #endif
340 #endif
341 
342 #endif /* SECP256K1_SCALAR_IMPL_H */
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
#define VERIFY_CHECK(cond)
Definition: util.h:68
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Definition: scalar_impl.h:58
static void secp256k1_num_set_bin(secp256k1_num *r, const unsigned char *a, unsigned int alen)
Set a number to the value of a binary big-endian string.
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *x)
Definition: scalar_impl.h:64
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static void secp256k1_num_mod_inverse(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *m)
Compute a modular inverse.
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift)
Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer...
#define EXHAUSTIVE_TEST_LAMBDA
#define SECP256K1_INLINE
Definition: secp256k1.h:124
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *x)
Definition: scalar_impl.h:234
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the square of a scalar (modulo the group order).
#define CHECK(cond)
Definition: util.h:53
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
uint64_t d[4]
Definition: scalar_4x64.h:14
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
#define EXHAUSTIVE_TEST_ORDER
static void secp256k1_scalar_get_num(secp256k1_num *r, const secp256k1_scalar *a)
Definition: scalar_impl.h:31
static void secp256k1_scalar_order_get_num(secp256k1_num *r)
secp256k1 curve order, see secp256k1_ecdsa_const_order_as_fe in ecdsa_impl.h
Definition: scalar_impl.h:38
static SECP256K1_INLINE int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Definition: scalar_impl.h:229
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
static void secp256k1_num_get_bin(unsigned char *r, unsigned int rlen, const secp256k1_num *a)
Convert a number&#39;s absolute value to a binary big-endian string.
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.