github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/field.h (about) 1 /*********************************************************************** 2 * Copyright (c) 2013, 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_FIELD_H 8 #define SECP256K1_FIELD_H 9 10 #include "util.h" 11 12 /* This file defines the generic interface for working with secp256k1_fe 13 * objects, which represent field elements (integers modulo 2^256 - 2^32 - 977). 14 * 15 * The actual definition of the secp256k1_fe type depends on the chosen field 16 * implementation; see the field_5x52.h and field_10x26.h files for details. 17 * 18 * All secp256k1_fe objects have implicit properties that determine what 19 * operations are permitted on it. These are purely a function of what 20 * secp256k1_fe_ operations are applied on it, generally (implicitly) fixed at 21 * compile time, and do not depend on the chosen field implementation. Despite 22 * that, what these properties actually entail for the field representation 23 * values depends on the chosen field implementation. These properties are: 24 * - magnitude: an integer in [0,32] 25 * - normalized: 0 or 1; normalized=1 implies magnitude <= 1. 26 * 27 * In VERIFY mode, they are materialized explicitly as fields in the struct, 28 * allowing run-time verification of these properties. In that case, the field 29 * implementation also provides a secp256k1_fe_verify routine to verify that 30 * these fields match the run-time value and perform internal consistency 31 * checks. */ 32 #ifdef VERIFY 33 # define SECP256K1_FE_VERIFY_FIELDS \ 34 int magnitude; \ 35 int normalized; 36 #else 37 # define SECP256K1_FE_VERIFY_FIELDS 38 #endif 39 40 #if defined(SECP256K1_WIDEMUL_INT128) 41 #include "field_5x52.h" 42 #elif defined(SECP256K1_WIDEMUL_INT64) 43 #include "field_10x26.h" 44 #else 45 #error "Please select wide multiplication implementation" 46 #endif 47 48 #ifdef VERIFY 49 /* Magnitude and normalized value for constants. */ 50 #define SECP256K1_FE_VERIFY_CONST(d7, d6, d5, d4, d3, d2, d1, d0) \ 51 /* Magnitude is 0 for constant 0; 1 otherwise. */ \ 52 , (((d7) | (d6) | (d5) | (d4) | (d3) | (d2) | (d1) | (d0)) != 0) \ 53 /* Normalized is 1 unless sum(d_i<<(32*i) for i=0..7) exceeds field modulus. */ \ 54 , (!(((d7) & (d6) & (d5) & (d4) & (d3) & (d2)) == 0xfffffffful && ((d1) == 0xfffffffful || ((d1) == 0xfffffffe && (d0 >= 0xfffffc2f))))) 55 #else 56 #define SECP256K1_FE_VERIFY_CONST(d7, d6, d5, d4, d3, d2, d1, d0) 57 #endif 58 59 /** This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p. 60 * 61 * It has magnitude 1, unless d_i are all 0, in which case the magnitude is 0. 62 * It is normalized, unless sum(2^(i*32) * d_i, i=0..7) >= p. 63 * 64 * SECP256K1_FE_CONST_INNER is provided by the implementation. 65 */ 66 #define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {SECP256K1_FE_CONST_INNER((d7), (d6), (d5), (d4), (d3), (d2), (d1), (d0)) SECP256K1_FE_VERIFY_CONST((d7), (d6), (d5), (d4), (d3), (d2), (d1), (d0)) } 67 68 static const secp256k1_fe secp256k1_fe_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 69 static const secp256k1_fe secp256k1_const_beta = SECP256K1_FE_CONST( 70 0x7ae96a2bul, 0x657c0710ul, 0x6e64479eul, 0xac3434e9ul, 71 0x9cf04975ul, 0x12f58995ul, 0xc1396c28ul, 0x719501eeul 72 ); 73 74 #ifndef VERIFY 75 /* In non-VERIFY mode, we #define the fe operations to be identical to their 76 * internal field implementation, to avoid the potential overhead of a 77 * function call (even though presumably inlinable). */ 78 # define secp256k1_fe_normalize secp256k1_fe_impl_normalize 79 # define secp256k1_fe_normalize_weak secp256k1_fe_impl_normalize_weak 80 # define secp256k1_fe_normalize_var secp256k1_fe_impl_normalize_var 81 # define secp256k1_fe_normalizes_to_zero secp256k1_fe_impl_normalizes_to_zero 82 # define secp256k1_fe_normalizes_to_zero_var secp256k1_fe_impl_normalizes_to_zero_var 83 # define secp256k1_fe_set_int secp256k1_fe_impl_set_int 84 # define secp256k1_fe_is_zero secp256k1_fe_impl_is_zero 85 # define secp256k1_fe_is_odd secp256k1_fe_impl_is_odd 86 # define secp256k1_fe_cmp_var secp256k1_fe_impl_cmp_var 87 # define secp256k1_fe_set_b32_mod secp256k1_fe_impl_set_b32_mod 88 # define secp256k1_fe_set_b32_limit secp256k1_fe_impl_set_b32_limit 89 # define secp256k1_fe_get_b32 secp256k1_fe_impl_get_b32 90 # define secp256k1_fe_negate_unchecked secp256k1_fe_impl_negate_unchecked 91 # define secp256k1_fe_mul_int_unchecked secp256k1_fe_impl_mul_int_unchecked 92 # define secp256k1_fe_add secp256k1_fe_impl_add 93 # define secp256k1_fe_mul secp256k1_fe_impl_mul 94 # define secp256k1_fe_sqr secp256k1_fe_impl_sqr 95 # define secp256k1_fe_cmov secp256k1_fe_impl_cmov 96 # define secp256k1_fe_to_storage secp256k1_fe_impl_to_storage 97 # define secp256k1_fe_from_storage secp256k1_fe_impl_from_storage 98 # define secp256k1_fe_inv secp256k1_fe_impl_inv 99 # define secp256k1_fe_inv_var secp256k1_fe_impl_inv_var 100 # define secp256k1_fe_get_bounds secp256k1_fe_impl_get_bounds 101 # define secp256k1_fe_half secp256k1_fe_impl_half 102 # define secp256k1_fe_add_int secp256k1_fe_impl_add_int 103 # define secp256k1_fe_is_square_var secp256k1_fe_impl_is_square_var 104 #endif /* !defined(VERIFY) */ 105 106 /** Normalize a field element. 107 * 108 * On input, r must be a valid field element. 109 * On output, r represents the same value but has normalized=1 and magnitude=1. 110 */ 111 static void secp256k1_fe_normalize(secp256k1_fe *r); 112 113 /** Give a field element magnitude 1. 114 * 115 * On input, r must be a valid field element. 116 * On output, r represents the same value but has magnitude=1. Normalized is unchanged. 117 */ 118 static void secp256k1_fe_normalize_weak(secp256k1_fe *r); 119 120 /** Normalize a field element, without constant-time guarantee. 121 * 122 * Identical in behavior to secp256k1_fe_normalize, but not constant time in r. 123 */ 124 static void secp256k1_fe_normalize_var(secp256k1_fe *r); 125 126 /** Determine whether r represents field element 0. 127 * 128 * On input, r must be a valid field element. 129 * Returns whether r = 0 (mod p). 130 */ 131 static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r); 132 133 /** Determine whether r represents field element 0, without constant-time guarantee. 134 * 135 * Identical in behavior to secp256k1_normalizes_to_zero, but not constant time in r. 136 */ 137 static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r); 138 139 /** Set a field element to an integer in range [0,0x7FFF]. 140 * 141 * On input, r does not need to be initialized, a must be in [0,0x7FFF]. 142 * On output, r represents value a, is normalized and has magnitude (a!=0). 143 */ 144 static void secp256k1_fe_set_int(secp256k1_fe *r, int a); 145 146 /** Clear a field element to prevent leaking sensitive information. */ 147 static void secp256k1_fe_clear(secp256k1_fe *a); 148 149 /** Determine whether a represents field element 0. 150 * 151 * On input, a must be a valid normalized field element. 152 * Returns whether a = 0 (mod p). 153 * 154 * This behaves identical to secp256k1_normalizes_to_zero{,_var}, but requires 155 * normalized input (and is much faster). 156 */ 157 static int secp256k1_fe_is_zero(const secp256k1_fe *a); 158 159 /** Determine whether a (mod p) is odd. 160 * 161 * On input, a must be a valid normalized field element. 162 * Returns (int(a) mod p) & 1. 163 */ 164 static int secp256k1_fe_is_odd(const secp256k1_fe *a); 165 166 /** Determine whether two field elements are equal. 167 * 168 * On input, a and b must be valid field elements with magnitudes not exceeding 169 * 1 and 31, respectively. 170 * Returns a = b (mod p). 171 */ 172 static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b); 173 174 /** Compare the values represented by 2 field elements, without constant-time guarantee. 175 * 176 * On input, a and b must be valid normalized field elements. 177 * Returns 1 if a > b, -1 if a < b, and 0 if a = b (comparisons are done as integers 178 * in range 0..p-1). 179 */ 180 static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b); 181 182 /** Set a field element equal to the element represented by a provided 32-byte big endian value 183 * interpreted modulo p. 184 * 185 * On input, r does not need to be initialized. a must be a pointer to an initialized 32-byte array. 186 * On output, r = a (mod p). It will have magnitude 1, and not be normalized. 187 */ 188 static void secp256k1_fe_set_b32_mod(secp256k1_fe *r, const unsigned char *a); 189 190 /** Set a field element equal to a provided 32-byte big endian value, checking for overflow. 191 * 192 * On input, r does not need to be initialized. a must be a pointer to an initialized 32-byte array. 193 * On output, r = a if (a < p), it will be normalized with magnitude 1, and 1 is returned. 194 * If a >= p, 0 is returned, and r will be made invalid (and must not be used without overwriting). 195 */ 196 static int secp256k1_fe_set_b32_limit(secp256k1_fe *r, const unsigned char *a); 197 198 /** Convert a field element to 32-byte big endian byte array. 199 * On input, a must be a valid normalized field element, and r a pointer to a 32-byte array. 200 * On output, r = a (mod p). 201 */ 202 static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a); 203 204 /** Negate a field element. 205 * 206 * On input, r does not need to be initialized. a must be a valid field element with 207 * magnitude not exceeding m. m must be an integer constant expression in [0,31]. 208 * Performs {r = -a}. 209 * On output, r will not be normalized, and will have magnitude m+1. 210 */ 211 #define secp256k1_fe_negate(r, a, m) ASSERT_INT_CONST_AND_DO(m, secp256k1_fe_negate_unchecked(r, a, m)) 212 213 /** Like secp256k1_fe_negate_unchecked but m is not checked to be an integer constant expression. 214 * 215 * Should not be called directly outside of tests. 216 */ 217 static void secp256k1_fe_negate_unchecked(secp256k1_fe *r, const secp256k1_fe *a, int m); 218 219 /** Add a small integer to a field element. 220 * 221 * Performs {r += a}. The magnitude of r increases by 1, and normalized is cleared. 222 * a must be in range [0,0x7FFF]. 223 */ 224 static void secp256k1_fe_add_int(secp256k1_fe *r, int a); 225 226 /** Multiply a field element with a small integer. 227 * 228 * On input, r must be a valid field element. a must be an integer constant expression in [0,32]. 229 * The magnitude of r times a must not exceed 32. 230 * Performs {r *= a}. 231 * On output, r's magnitude is multiplied by a, and r will not be normalized. 232 */ 233 #define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a)) 234 235 /** Like secp256k1_fe_mul_int but a is not checked to be an integer constant expression. 236 * 237 * Should not be called directly outside of tests. 238 */ 239 static void secp256k1_fe_mul_int_unchecked(secp256k1_fe *r, int a); 240 241 /** Increment a field element by another. 242 * 243 * On input, r and a must be valid field elements, not necessarily normalized. 244 * The sum of their magnitudes must not exceed 32. 245 * Performs {r += a}. 246 * On output, r will not be normalized, and will have magnitude incremented by a's. 247 */ 248 static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a); 249 250 /** Multiply two field elements. 251 * 252 * On input, a and b must be valid field elements; r does not need to be initialized. 253 * r and a may point to the same object, but neither may point to the object pointed 254 * to by b. The magnitudes of a and b must not exceed 8. 255 * Performs {r = a * b} 256 * On output, r will have magnitude 1, but won't be normalized. 257 */ 258 static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b); 259 260 /** Square a field element. 261 * 262 * On input, a must be a valid field element; r does not need to be initialized. The magnitude 263 * of a must not exceed 8. 264 * Performs {r = a**2} 265 * On output, r will have magnitude 1, but won't be normalized. 266 */ 267 static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a); 268 269 /** Compute a square root of a field element. 270 * 271 * On input, a must be a valid field element with magnitude<=8; r need not be initialized. 272 * If sqrt(a) exists, performs {r = sqrt(a)} and returns 1. 273 * Otherwise, sqrt(-a) exists. The function performs {r = sqrt(-a)} and returns 0. 274 * The resulting value represented by r will be a square itself. 275 * Variables r and a must not point to the same object. 276 * On output, r will have magnitude 1 but will not be normalized. 277 */ 278 static int secp256k1_fe_sqrt(secp256k1_fe * SECP256K1_RESTRICT r, const secp256k1_fe * SECP256K1_RESTRICT a); 279 280 /** Compute the modular inverse of a field element. 281 * 282 * On input, a must be a valid field element; r need not be initialized. 283 * Performs {r = a**(p-2)} (which maps 0 to 0, and every other element to its 284 * inverse). 285 * On output, r will have magnitude (a.magnitude != 0) and be normalized. 286 */ 287 static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a); 288 289 /** Compute the modular inverse of a field element, without constant-time guarantee. 290 * 291 * Behaves identically to secp256k1_fe_inv, but is not constant-time in a. 292 */ 293 static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a); 294 295 /** Convert a field element to secp256k1_fe_storage. 296 * 297 * On input, a must be a valid normalized field element. 298 * Performs {r = a}. 299 */ 300 static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a); 301 302 /** Convert a field element back from secp256k1_fe_storage. 303 * 304 * On input, r need not be initialized. 305 * Performs {r = a}. 306 * On output, r will be normalized and will have magnitude 1. 307 */ 308 static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a); 309 310 /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ 311 static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag); 312 313 /** Conditionally move a field element in constant time. 314 * 315 * On input, both r and a must be valid field elements. Flag must be 0 or 1. 316 * Performs {r = flag ? a : r}. 317 * 318 * On output, r's magnitude will be the maximum of both input magnitudes. 319 * It will be normalized if and only if both inputs were normalized. 320 */ 321 static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag); 322 323 /** Halve the value of a field element modulo the field prime in constant-time. 324 * 325 * On input, r must be a valid field element. 326 * On output, r will be normalized and have magnitude floor(m/2) + 1 where m is 327 * the magnitude of r on input. 328 */ 329 static void secp256k1_fe_half(secp256k1_fe *r); 330 331 /** Sets r to a field element with magnitude m, normalized if (and only if) m==0. 332 * The value is chosen so that it is likely to trigger edge cases related to 333 * internal overflows. */ 334 static void secp256k1_fe_get_bounds(secp256k1_fe *r, int m); 335 336 /** Determine whether a is a square (modulo p). 337 * 338 * On input, a must be a valid field element. 339 */ 340 static int secp256k1_fe_is_square_var(const secp256k1_fe *a); 341 342 /** Check invariants on a field element (no-op unless VERIFY is enabled). */ 343 static void secp256k1_fe_verify(const secp256k1_fe *a); 344 #define SECP256K1_FE_VERIFY(a) secp256k1_fe_verify(a) 345 346 /** Check that magnitude of a is at most m (no-op unless VERIFY is enabled). */ 347 static void secp256k1_fe_verify_magnitude(const secp256k1_fe *a, int m); 348 #define SECP256K1_FE_VERIFY_MAGNITUDE(a, m) secp256k1_fe_verify_magnitude(a, m) 349 350 #endif /* SECP256K1_FIELD_H */