Bitcoin Core 28.99.0
P2P Digital Currency
scalar_low_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2015 Andrew Poelstra *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_SCALAR_REPR_IMPL_H
8#define SECP256K1_SCALAR_REPR_IMPL_H
9
10#include "checkmem.h"
11#include "scalar.h"
12#include "util.h"
13
14#include <string.h>
15
16SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a) {
17 SECP256K1_SCALAR_VERIFY(a);
18
19 return !(*a & 1);
20}
21
22SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v) {
23 *r = v % EXHAUSTIVE_TEST_ORDER;
24
25 SECP256K1_SCALAR_VERIFY(r);
26}
27
28SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count) {
29 SECP256K1_SCALAR_VERIFY(a);
30
31 VERIFY_CHECK(count > 0 && count <= 32);
32 if (offset < 32) {
33 return (*a >> offset) & (0xFFFFFFFF >> (32 - count));
34 } else {
35 return 0;
36 }
37}
38
39SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count) {
40 SECP256K1_SCALAR_VERIFY(a);
41
42 return secp256k1_scalar_get_bits_limb32(a, offset, count);
43}
44
45SECP256K1_INLINE static int secp256k1_scalar_check_overflow(const secp256k1_scalar *a) { return *a >= EXHAUSTIVE_TEST_ORDER; }
46
47static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
48 SECP256K1_SCALAR_VERIFY(a);
49 SECP256K1_SCALAR_VERIFY(b);
50
51 *r = (*a + *b) % EXHAUSTIVE_TEST_ORDER;
52
53 SECP256K1_SCALAR_VERIFY(r);
54 return *r < *b;
55}
56
57static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag) {
58 SECP256K1_SCALAR_VERIFY(r);
59
60 if (flag && bit < 32)
61 *r += ((uint32_t)1 << bit);
62
63 SECP256K1_SCALAR_VERIFY(r);
64 VERIFY_CHECK(bit < 32);
65 /* Verify that adding (1 << bit) will not overflow any in-range scalar *r by overflowing the underlying uint32_t. */
66 VERIFY_CHECK(((uint32_t)1 << bit) - 1 <= UINT32_MAX - EXHAUSTIVE_TEST_ORDER);
67}
68
69static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) {
70 int i;
71 int over = 0;
72 *r = 0;
73 for (i = 0; i < 32; i++) {
74 *r = (*r * 0x100) + b32[i];
75 if (*r >= EXHAUSTIVE_TEST_ORDER) {
76 over = 1;
77 *r %= EXHAUSTIVE_TEST_ORDER;
78 }
79 }
80 if (overflow) *overflow = over;
81
82 SECP256K1_SCALAR_VERIFY(r);
83}
84
85static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a) {
86 SECP256K1_SCALAR_VERIFY(a);
87
88 memset(bin, 0, 32);
89 bin[28] = *a >> 24; bin[29] = *a >> 16; bin[30] = *a >> 8; bin[31] = *a;
90}
91
92SECP256K1_INLINE static int secp256k1_scalar_is_zero(const secp256k1_scalar *a) {
93 SECP256K1_SCALAR_VERIFY(a);
94
95 return *a == 0;
96}
97
98static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a) {
99 SECP256K1_SCALAR_VERIFY(a);
100
101 if (*a == 0) {
102 *r = 0;
103 } else {
104 *r = EXHAUSTIVE_TEST_ORDER - *a;
105 }
106
107 SECP256K1_SCALAR_VERIFY(r);
108}
109
110SECP256K1_INLINE static int secp256k1_scalar_is_one(const secp256k1_scalar *a) {
111 SECP256K1_SCALAR_VERIFY(a);
112
113 return *a == 1;
114}
115
116static int secp256k1_scalar_is_high(const secp256k1_scalar *a) {
117 SECP256K1_SCALAR_VERIFY(a);
118
119 return *a > EXHAUSTIVE_TEST_ORDER / 2;
120}
121
122static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
123 SECP256K1_SCALAR_VERIFY(r);
124
125 if (flag) secp256k1_scalar_negate(r, r);
126
127 SECP256K1_SCALAR_VERIFY(r);
128 return flag ? -1 : 1;
129}
130
131static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) {
132 SECP256K1_SCALAR_VERIFY(a);
133 SECP256K1_SCALAR_VERIFY(b);
134
135 *r = (*a * *b) % EXHAUSTIVE_TEST_ORDER;
136
137 SECP256K1_SCALAR_VERIFY(r);
138}
139
140static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
141 SECP256K1_SCALAR_VERIFY(a);
142
143 *r1 = *a;
144 *r2 = 0;
145
146 SECP256K1_SCALAR_VERIFY(r1);
147 SECP256K1_SCALAR_VERIFY(r2);
148}
149
150SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b) {
151 SECP256K1_SCALAR_VERIFY(a);
152 SECP256K1_SCALAR_VERIFY(b);
153
154 return *a == *b;
155}
156
157static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) {
158 uint32_t mask0, mask1;
159 volatile int vflag = flag;
160 SECP256K1_SCALAR_VERIFY(a);
161 SECP256K1_CHECKMEM_CHECK_VERIFY(r, sizeof(*r));
162
163 mask0 = vflag + ~((uint32_t)0);
164 mask1 = ~mask0;
165 *r = (*r & mask0) | (*a & mask1);
166
167 SECP256K1_SCALAR_VERIFY(r);
168}
169
170static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *x) {
171 int i;
172 uint32_t res = 0;
173 SECP256K1_SCALAR_VERIFY(x);
174
175 for (i = 0; i < EXHAUSTIVE_TEST_ORDER; i++) {
176 if ((i * *x) % EXHAUSTIVE_TEST_ORDER == 1) {
177 res = i;
178 break;
179 }
180 }
181
182 /* If this VERIFY_CHECK triggers we were given a noninvertible scalar (and thus
183 * have a composite group order; fix it in exhaustive_tests.c). */
184 VERIFY_CHECK(res != 0);
185 *r = res;
186
187 SECP256K1_SCALAR_VERIFY(r);
188}
189
190static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *x) {
191 SECP256K1_SCALAR_VERIFY(x);
192
193 secp256k1_scalar_inverse(r, x);
194
195 SECP256K1_SCALAR_VERIFY(r);
196}
197
198static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a) {
199 SECP256K1_SCALAR_VERIFY(a);
200
201 *r = (*a + ((-(uint32_t)(*a & 1)) & EXHAUSTIVE_TEST_ORDER)) >> 1;
202
203 SECP256K1_SCALAR_VERIFY(r);
204}
205
206#endif /* SECP256K1_SCALAR_REPR_IMPL_H */
SECP256K1_CHECKMEM_CHECK_VERIFY
#define SECP256K1_CHECKMEM_CHECK_VERIFY(p, len)
Definition: checkmem.h:99
SECP256K1_SCALAR_VERIFY
#define SECP256K1_SCALAR_VERIFY(r)
Definition: scalar.h:103
secp256k1_scalar_is_even
static SECP256K1_INLINE int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Definition: scalar_low_impl.h:16
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_low_impl.h:45
secp256k1_scalar_half
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Definition: scalar_low_impl.h:198
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow)
Definition: scalar_low_impl.h:69
secp256k1_scalar_get_bits_var
static SECP256K1_INLINE uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Definition: scalar_low_impl.h:39
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *x)
Definition: scalar_low_impl.h:190
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Definition: scalar_low_impl.h:85
secp256k1_scalar_set_int
static SECP256K1_INLINE void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Definition: scalar_low_impl.h:22
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *x)
Definition: scalar_low_impl.h:170
secp256k1_scalar_cmov
static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
Definition: scalar_low_impl.h:157
secp256k1_scalar_eq
static SECP256K1_INLINE int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Definition: scalar_low_impl.h:150
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Definition: scalar_low_impl.h:47
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag)
Definition: scalar_low_impl.h:122
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Definition: scalar_low_impl.h:131
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Definition: scalar_low_impl.h:98
secp256k1_scalar_is_zero
static SECP256K1_INLINE int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Definition: scalar_low_impl.h:92
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Definition: scalar_low_impl.h:116
secp256k1_scalar_split_128
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a)
Definition: scalar_low_impl.h:140
secp256k1_scalar_get_bits_limb32
static SECP256K1_INLINE uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Definition: scalar_low_impl.h:28
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Definition: scalar_low_impl.h:57
secp256k1_scalar_is_one
static SECP256K1_INLINE int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Definition: scalar_low_impl.h:110
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition: util.h:54
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:159
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
count
static int count
Definition: tests_exhaustive.c:34
EXHAUSTIVE_TEST_ORDER
#define EXHAUSTIVE_TEST_ORDER
Definition: tests_exhaustive.c:13
Generated on Wed Dec 18 2024 20:00:12 for Bitcoin Core by doxygen 1.9.4