github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/field_impl.h (about) 1 /*********************************************************************** 2 * Copyright (c) 2013, 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_FIELD_IMPL_H 8 #define SECP256K1_FIELD_IMPL_H 9 10 #include "field.h" 11 #include "util.h" 12 13 #if defined(SECP256K1_WIDEMUL_INT128) 14 #include "field_5x52_impl.h" 15 #elif defined(SECP256K1_WIDEMUL_INT64) 16 #include "field_10x26_impl.h" 17 #else 18 #error "Please select wide multiplication implementation" 19 #endif 20 21 SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe *a) { 22 secp256k1_memclear(a, sizeof(secp256k1_fe)); 23 } 24 25 SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) { 26 secp256k1_fe na; 27 SECP256K1_FE_VERIFY(a); 28 SECP256K1_FE_VERIFY(b); 29 SECP256K1_FE_VERIFY_MAGNITUDE(a, 1); 30 SECP256K1_FE_VERIFY_MAGNITUDE(b, 31); 31 32 secp256k1_fe_negate(&na, a, 1); 33 secp256k1_fe_add(&na, b); 34 return secp256k1_fe_normalizes_to_zero(&na); 35 } 36 37 static int secp256k1_fe_sqrt(secp256k1_fe * SECP256K1_RESTRICT r, const secp256k1_fe * SECP256K1_RESTRICT a) { 38 /** Given that p is congruent to 3 mod 4, we can compute the square root of 39 * a mod p as the (p+1)/4'th power of a. 40 * 41 * As (p+1)/4 is an even number, it will have the same result for a and for 42 * (-a). Only one of these two numbers actually has a square root however, 43 * so we test at the end by squaring and comparing to the input. 44 * Also because (p+1)/4 is an even number, the computed square root is 45 * itself always a square (a ** ((p+1)/4) is the square of a ** ((p+1)/8)). 46 */ 47 secp256k1_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; 48 int j, ret; 49 50 VERIFY_CHECK(r != a); 51 SECP256K1_FE_VERIFY(a); 52 SECP256K1_FE_VERIFY_MAGNITUDE(a, 8); 53 54 /** The binary representation of (p + 1)/4 has 3 blocks of 1s, with lengths in 55 * { 2, 22, 223 }. Use an addition chain to calculate 2^n - 1 for each block: 56 * 1, [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223] 57 */ 58 59 secp256k1_fe_sqr(&x2, a); 60 secp256k1_fe_mul(&x2, &x2, a); 61 62 secp256k1_fe_sqr(&x3, &x2); 63 secp256k1_fe_mul(&x3, &x3, a); 64 65 x6 = x3; 66 for (j=0; j<3; j++) { 67 secp256k1_fe_sqr(&x6, &x6); 68 } 69 secp256k1_fe_mul(&x6, &x6, &x3); 70 71 x9 = x6; 72 for (j=0; j<3; j++) { 73 secp256k1_fe_sqr(&x9, &x9); 74 } 75 secp256k1_fe_mul(&x9, &x9, &x3); 76 77 x11 = x9; 78 for (j=0; j<2; j++) { 79 secp256k1_fe_sqr(&x11, &x11); 80 } 81 secp256k1_fe_mul(&x11, &x11, &x2); 82 83 x22 = x11; 84 for (j=0; j<11; j++) { 85 secp256k1_fe_sqr(&x22, &x22); 86 } 87 secp256k1_fe_mul(&x22, &x22, &x11); 88 89 x44 = x22; 90 for (j=0; j<22; j++) { 91 secp256k1_fe_sqr(&x44, &x44); 92 } 93 secp256k1_fe_mul(&x44, &x44, &x22); 94 95 x88 = x44; 96 for (j=0; j<44; j++) { 97 secp256k1_fe_sqr(&x88, &x88); 98 } 99 secp256k1_fe_mul(&x88, &x88, &x44); 100 101 x176 = x88; 102 for (j=0; j<88; j++) { 103 secp256k1_fe_sqr(&x176, &x176); 104 } 105 secp256k1_fe_mul(&x176, &x176, &x88); 106 107 x220 = x176; 108 for (j=0; j<44; j++) { 109 secp256k1_fe_sqr(&x220, &x220); 110 } 111 secp256k1_fe_mul(&x220, &x220, &x44); 112 113 x223 = x220; 114 for (j=0; j<3; j++) { 115 secp256k1_fe_sqr(&x223, &x223); 116 } 117 secp256k1_fe_mul(&x223, &x223, &x3); 118 119 /* The final result is then assembled using a sliding window over the blocks. */ 120 121 t1 = x223; 122 for (j=0; j<23; j++) { 123 secp256k1_fe_sqr(&t1, &t1); 124 } 125 secp256k1_fe_mul(&t1, &t1, &x22); 126 for (j=0; j<6; j++) { 127 secp256k1_fe_sqr(&t1, &t1); 128 } 129 secp256k1_fe_mul(&t1, &t1, &x2); 130 secp256k1_fe_sqr(&t1, &t1); 131 secp256k1_fe_sqr(r, &t1); 132 133 /* Check that a square root was actually calculated */ 134 135 secp256k1_fe_sqr(&t1, r); 136 ret = secp256k1_fe_equal(&t1, a); 137 138 #ifdef VERIFY 139 if (!ret) { 140 secp256k1_fe_negate(&t1, &t1, 1); 141 secp256k1_fe_normalize_var(&t1); 142 VERIFY_CHECK(secp256k1_fe_equal(&t1, a)); 143 } 144 #endif 145 return ret; 146 } 147 148 #ifndef VERIFY 149 static void secp256k1_fe_verify(const secp256k1_fe *a) { (void)a; } 150 static void secp256k1_fe_verify_magnitude(const secp256k1_fe *a, int m) { (void)a; (void)m; } 151 #else 152 static void secp256k1_fe_impl_verify(const secp256k1_fe *a); 153 static void secp256k1_fe_verify(const secp256k1_fe *a) { 154 /* Magnitude between 0 and 32. */ 155 SECP256K1_FE_VERIFY_MAGNITUDE(a, 32); 156 /* Normalized is 0 or 1. */ 157 VERIFY_CHECK((a->normalized == 0) || (a->normalized == 1)); 158 /* If normalized, magnitude must be 0 or 1. */ 159 if (a->normalized) SECP256K1_FE_VERIFY_MAGNITUDE(a, 1); 160 /* Invoke implementation-specific checks. */ 161 secp256k1_fe_impl_verify(a); 162 } 163 164 static void secp256k1_fe_verify_magnitude(const secp256k1_fe *a, int m) { 165 VERIFY_CHECK(m >= 0); 166 VERIFY_CHECK(m <= 32); 167 VERIFY_CHECK(a->magnitude <= m); 168 } 169 170 static void secp256k1_fe_impl_normalize(secp256k1_fe *r); 171 SECP256K1_INLINE static void secp256k1_fe_normalize(secp256k1_fe *r) { 172 SECP256K1_FE_VERIFY(r); 173 174 secp256k1_fe_impl_normalize(r); 175 r->magnitude = 1; 176 r->normalized = 1; 177 178 SECP256K1_FE_VERIFY(r); 179 } 180 181 static void secp256k1_fe_impl_normalize_weak(secp256k1_fe *r); 182 SECP256K1_INLINE static void secp256k1_fe_normalize_weak(secp256k1_fe *r) { 183 SECP256K1_FE_VERIFY(r); 184 185 secp256k1_fe_impl_normalize_weak(r); 186 r->magnitude = 1; 187 188 SECP256K1_FE_VERIFY(r); 189 } 190 191 static void secp256k1_fe_impl_normalize_var(secp256k1_fe *r); 192 SECP256K1_INLINE static void secp256k1_fe_normalize_var(secp256k1_fe *r) { 193 SECP256K1_FE_VERIFY(r); 194 195 secp256k1_fe_impl_normalize_var(r); 196 r->magnitude = 1; 197 r->normalized = 1; 198 199 SECP256K1_FE_VERIFY(r); 200 } 201 202 static int secp256k1_fe_impl_normalizes_to_zero(const secp256k1_fe *r); 203 SECP256K1_INLINE static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) { 204 SECP256K1_FE_VERIFY(r); 205 206 return secp256k1_fe_impl_normalizes_to_zero(r); 207 } 208 209 static int secp256k1_fe_impl_normalizes_to_zero_var(const secp256k1_fe *r); 210 SECP256K1_INLINE static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r) { 211 SECP256K1_FE_VERIFY(r); 212 213 return secp256k1_fe_impl_normalizes_to_zero_var(r); 214 } 215 216 static void secp256k1_fe_impl_set_int(secp256k1_fe *r, int a); 217 SECP256K1_INLINE static void secp256k1_fe_set_int(secp256k1_fe *r, int a) { 218 VERIFY_CHECK(0 <= a && a <= 0x7FFF); 219 220 secp256k1_fe_impl_set_int(r, a); 221 r->magnitude = (a != 0); 222 r->normalized = 1; 223 224 SECP256K1_FE_VERIFY(r); 225 } 226 227 static void secp256k1_fe_impl_add_int(secp256k1_fe *r, int a); 228 SECP256K1_INLINE static void secp256k1_fe_add_int(secp256k1_fe *r, int a) { 229 VERIFY_CHECK(0 <= a && a <= 0x7FFF); 230 SECP256K1_FE_VERIFY(r); 231 232 secp256k1_fe_impl_add_int(r, a); 233 r->magnitude += 1; 234 r->normalized = 0; 235 236 SECP256K1_FE_VERIFY(r); 237 } 238 239 static int secp256k1_fe_impl_is_zero(const secp256k1_fe *a); 240 SECP256K1_INLINE static int secp256k1_fe_is_zero(const secp256k1_fe *a) { 241 SECP256K1_FE_VERIFY(a); 242 VERIFY_CHECK(a->normalized); 243 244 return secp256k1_fe_impl_is_zero(a); 245 } 246 247 static int secp256k1_fe_impl_is_odd(const secp256k1_fe *a); 248 SECP256K1_INLINE static int secp256k1_fe_is_odd(const secp256k1_fe *a) { 249 SECP256K1_FE_VERIFY(a); 250 VERIFY_CHECK(a->normalized); 251 252 return secp256k1_fe_impl_is_odd(a); 253 } 254 255 static int secp256k1_fe_impl_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b); 256 SECP256K1_INLINE static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) { 257 SECP256K1_FE_VERIFY(a); 258 SECP256K1_FE_VERIFY(b); 259 VERIFY_CHECK(a->normalized); 260 VERIFY_CHECK(b->normalized); 261 262 return secp256k1_fe_impl_cmp_var(a, b); 263 } 264 265 static void secp256k1_fe_impl_set_b32_mod(secp256k1_fe *r, const unsigned char *a); 266 SECP256K1_INLINE static void secp256k1_fe_set_b32_mod(secp256k1_fe *r, const unsigned char *a) { 267 secp256k1_fe_impl_set_b32_mod(r, a); 268 r->magnitude = 1; 269 r->normalized = 0; 270 271 SECP256K1_FE_VERIFY(r); 272 } 273 274 static int secp256k1_fe_impl_set_b32_limit(secp256k1_fe *r, const unsigned char *a); 275 SECP256K1_INLINE static int secp256k1_fe_set_b32_limit(secp256k1_fe *r, const unsigned char *a) { 276 if (secp256k1_fe_impl_set_b32_limit(r, a)) { 277 r->magnitude = 1; 278 r->normalized = 1; 279 SECP256K1_FE_VERIFY(r); 280 return 1; 281 } else { 282 /* Mark the output field element as invalid. */ 283 r->magnitude = -1; 284 return 0; 285 } 286 } 287 288 static void secp256k1_fe_impl_get_b32(unsigned char *r, const secp256k1_fe *a); 289 SECP256K1_INLINE static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a) { 290 SECP256K1_FE_VERIFY(a); 291 VERIFY_CHECK(a->normalized); 292 293 secp256k1_fe_impl_get_b32(r, a); 294 } 295 296 static void secp256k1_fe_impl_negate_unchecked(secp256k1_fe *r, const secp256k1_fe *a, int m); 297 SECP256K1_INLINE static void secp256k1_fe_negate_unchecked(secp256k1_fe *r, const secp256k1_fe *a, int m) { 298 SECP256K1_FE_VERIFY(a); 299 VERIFY_CHECK(m >= 0 && m <= 31); 300 SECP256K1_FE_VERIFY_MAGNITUDE(a, m); 301 302 secp256k1_fe_impl_negate_unchecked(r, a, m); 303 r->magnitude = m + 1; 304 r->normalized = 0; 305 306 SECP256K1_FE_VERIFY(r); 307 } 308 309 static void secp256k1_fe_impl_mul_int_unchecked(secp256k1_fe *r, int a); 310 SECP256K1_INLINE static void secp256k1_fe_mul_int_unchecked(secp256k1_fe *r, int a) { 311 SECP256K1_FE_VERIFY(r); 312 313 VERIFY_CHECK(a >= 0 && a <= 32); 314 VERIFY_CHECK(a*r->magnitude <= 32); 315 secp256k1_fe_impl_mul_int_unchecked(r, a); 316 r->magnitude *= a; 317 r->normalized = 0; 318 319 SECP256K1_FE_VERIFY(r); 320 } 321 322 static void secp256k1_fe_impl_add(secp256k1_fe *r, const secp256k1_fe *a); 323 SECP256K1_INLINE static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a) { 324 SECP256K1_FE_VERIFY(r); 325 SECP256K1_FE_VERIFY(a); 326 VERIFY_CHECK(r->magnitude + a->magnitude <= 32); 327 328 secp256k1_fe_impl_add(r, a); 329 r->magnitude += a->magnitude; 330 r->normalized = 0; 331 332 SECP256K1_FE_VERIFY(r); 333 } 334 335 static void secp256k1_fe_impl_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b); 336 SECP256K1_INLINE static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b) { 337 SECP256K1_FE_VERIFY(a); 338 SECP256K1_FE_VERIFY(b); 339 SECP256K1_FE_VERIFY_MAGNITUDE(a, 8); 340 SECP256K1_FE_VERIFY_MAGNITUDE(b, 8); 341 VERIFY_CHECK(r != b); 342 VERIFY_CHECK(a != b); 343 344 secp256k1_fe_impl_mul(r, a, b); 345 r->magnitude = 1; 346 r->normalized = 0; 347 348 SECP256K1_FE_VERIFY(r); 349 } 350 351 static void secp256k1_fe_impl_sqr(secp256k1_fe *r, const secp256k1_fe *a); 352 SECP256K1_INLINE static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) { 353 SECP256K1_FE_VERIFY(a); 354 SECP256K1_FE_VERIFY_MAGNITUDE(a, 8); 355 356 secp256k1_fe_impl_sqr(r, a); 357 r->magnitude = 1; 358 r->normalized = 0; 359 360 SECP256K1_FE_VERIFY(r); 361 } 362 363 static void secp256k1_fe_impl_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag); 364 SECP256K1_INLINE static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) { 365 VERIFY_CHECK(flag == 0 || flag == 1); 366 SECP256K1_FE_VERIFY(a); 367 SECP256K1_FE_VERIFY(r); 368 369 secp256k1_fe_impl_cmov(r, a, flag); 370 if (a->magnitude > r->magnitude) r->magnitude = a->magnitude; 371 if (!a->normalized) r->normalized = 0; 372 373 SECP256K1_FE_VERIFY(r); 374 } 375 376 static void secp256k1_fe_impl_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a); 377 SECP256K1_INLINE static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) { 378 SECP256K1_FE_VERIFY(a); 379 VERIFY_CHECK(a->normalized); 380 381 secp256k1_fe_impl_to_storage(r, a); 382 } 383 384 static void secp256k1_fe_impl_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a); 385 SECP256K1_INLINE static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a) { 386 secp256k1_fe_impl_from_storage(r, a); 387 r->magnitude = 1; 388 r->normalized = 1; 389 390 SECP256K1_FE_VERIFY(r); 391 } 392 393 static void secp256k1_fe_impl_inv(secp256k1_fe *r, const secp256k1_fe *x); 394 SECP256K1_INLINE static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) { 395 int input_is_zero = secp256k1_fe_normalizes_to_zero(x); 396 SECP256K1_FE_VERIFY(x); 397 398 secp256k1_fe_impl_inv(r, x); 399 r->magnitude = x->magnitude > 0; 400 r->normalized = 1; 401 402 VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == input_is_zero); 403 SECP256K1_FE_VERIFY(r); 404 } 405 406 static void secp256k1_fe_impl_inv_var(secp256k1_fe *r, const secp256k1_fe *x); 407 SECP256K1_INLINE static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) { 408 int input_is_zero = secp256k1_fe_normalizes_to_zero(x); 409 SECP256K1_FE_VERIFY(x); 410 411 secp256k1_fe_impl_inv_var(r, x); 412 r->magnitude = x->magnitude > 0; 413 r->normalized = 1; 414 415 VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == input_is_zero); 416 SECP256K1_FE_VERIFY(r); 417 } 418 419 static int secp256k1_fe_impl_is_square_var(const secp256k1_fe *x); 420 SECP256K1_INLINE static int secp256k1_fe_is_square_var(const secp256k1_fe *x) { 421 int ret; 422 secp256k1_fe tmp = *x, sqrt; 423 SECP256K1_FE_VERIFY(x); 424 425 ret = secp256k1_fe_impl_is_square_var(x); 426 secp256k1_fe_normalize_weak(&tmp); 427 VERIFY_CHECK(ret == secp256k1_fe_sqrt(&sqrt, &tmp)); 428 return ret; 429 } 430 431 static void secp256k1_fe_impl_get_bounds(secp256k1_fe* r, int m); 432 SECP256K1_INLINE static void secp256k1_fe_get_bounds(secp256k1_fe* r, int m) { 433 VERIFY_CHECK(m >= 0); 434 VERIFY_CHECK(m <= 32); 435 436 secp256k1_fe_impl_get_bounds(r, m); 437 r->magnitude = m; 438 r->normalized = (m == 0); 439 440 SECP256K1_FE_VERIFY(r); 441 } 442 443 static void secp256k1_fe_impl_half(secp256k1_fe *r); 444 SECP256K1_INLINE static void secp256k1_fe_half(secp256k1_fe *r) { 445 SECP256K1_FE_VERIFY(r); 446 SECP256K1_FE_VERIFY_MAGNITUDE(r, 31); 447 448 secp256k1_fe_impl_half(r); 449 r->magnitude = (r->magnitude >> 1) + 1; 450 r->normalized = 0; 451 452 SECP256K1_FE_VERIFY(r); 453 } 454 455 #endif /* defined(VERIFY) */ 456 457 #endif /* SECP256K1_FIELD_IMPL_H */