github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/group_impl.h (about) 1 /*********************************************************************** 2 * Copyright (c) 2013, 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_GROUP_IMPL_H 8 #define SECP256K1_GROUP_IMPL_H 9 10 #include <string.h> 11 12 #include "field.h" 13 #include "group.h" 14 #include "util.h" 15 16 /* Begin of section generated by sage/gen_exhaustive_groups.sage. */ 17 #define SECP256K1_G_ORDER_7 SECP256K1_GE_CONST(\ 18 0x66625d13, 0x317ffe44, 0x63d32cff, 0x1ca02b9b,\ 19 0xe5c6d070, 0x50b4b05e, 0x81cc30db, 0xf5166f0a,\ 20 0x1e60e897, 0xa7c00c7c, 0x2df53eb6, 0x98274ff4,\ 21 0x64252f42, 0x8ca44e17, 0x3b25418c, 0xff4ab0cf\ 22 ) 23 #define SECP256K1_G_ORDER_13 SECP256K1_GE_CONST(\ 24 0xa2482ff8, 0x4bf34edf, 0xa51262fd, 0xe57921db,\ 25 0xe0dd2cb7, 0xa5914790, 0xbc71631f, 0xc09704fb,\ 26 0x942536cb, 0xa3e49492, 0x3a701cc3, 0xee3e443f,\ 27 0xdf182aa9, 0x15b8aa6a, 0x166d3b19, 0xba84b045\ 28 ) 29 #define SECP256K1_G_ORDER_199 SECP256K1_GE_CONST(\ 30 0x7fb07b5c, 0xd07c3bda, 0x553902e2, 0x7a87ea2c,\ 31 0x35108a7f, 0x051f41e5, 0xb76abad5, 0x1f2703ad,\ 32 0x0a251539, 0x5b4c4438, 0x952a634f, 0xac10dd4d,\ 33 0x6d6f4745, 0x98990c27, 0x3a4f3116, 0xd32ff969\ 34 ) 35 /** Generator for secp256k1, value 'g' defined in 36 * "Standards for Efficient Cryptography" (SEC2) 2.7.1. 37 */ 38 #define SECP256K1_G SECP256K1_GE_CONST(\ 39 0x79be667e, 0xf9dcbbac, 0x55a06295, 0xce870b07,\ 40 0x029bfcdb, 0x2dce28d9, 0x59f2815b, 0x16f81798,\ 41 0x483ada77, 0x26a3c465, 0x5da4fbfc, 0x0e1108a8,\ 42 0xfd17b448, 0xa6855419, 0x9c47d08f, 0xfb10d4b8\ 43 ) 44 /* These exhaustive group test orders and generators are chosen such that: 45 * - The field size is equal to that of secp256k1, so field code is the same. 46 * - The curve equation is of the form y^2=x^3+B for some small constant B. 47 * - The subgroup has a generator 2*P, where P.x is as small as possible. 48 * - The subgroup has size less than 1000 to permit exhaustive testing. 49 * - The subgroup admits an endomorphism of the form lambda*(x,y) == (beta*x,y). 50 */ 51 #if defined(EXHAUSTIVE_TEST_ORDER) 52 # if EXHAUSTIVE_TEST_ORDER == 7 53 54 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_7; 55 #define SECP256K1_B 6 56 57 # elif EXHAUSTIVE_TEST_ORDER == 13 58 59 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_13; 60 #define SECP256K1_B 2 61 62 # elif EXHAUSTIVE_TEST_ORDER == 199 63 64 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G_ORDER_199; 65 #define SECP256K1_B 4 66 67 # else 68 # error No known generator for the specified exhaustive test group order. 69 # endif 70 #else 71 72 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_G; 73 #define SECP256K1_B 7 74 75 #endif 76 /* End of section generated by sage/gen_exhaustive_groups.sage. */ 77 78 static void secp256k1_ge_verify(const secp256k1_ge *a) { 79 SECP256K1_FE_VERIFY(&a->x); 80 SECP256K1_FE_VERIFY(&a->y); 81 SECP256K1_FE_VERIFY_MAGNITUDE(&a->x, SECP256K1_GE_X_MAGNITUDE_MAX); 82 SECP256K1_FE_VERIFY_MAGNITUDE(&a->y, SECP256K1_GE_Y_MAGNITUDE_MAX); 83 VERIFY_CHECK(a->infinity == 0 || a->infinity == 1); 84 (void)a; 85 } 86 87 static void secp256k1_gej_verify(const secp256k1_gej *a) { 88 SECP256K1_FE_VERIFY(&a->x); 89 SECP256K1_FE_VERIFY(&a->y); 90 SECP256K1_FE_VERIFY(&a->z); 91 SECP256K1_FE_VERIFY_MAGNITUDE(&a->x, SECP256K1_GEJ_X_MAGNITUDE_MAX); 92 SECP256K1_FE_VERIFY_MAGNITUDE(&a->y, SECP256K1_GEJ_Y_MAGNITUDE_MAX); 93 SECP256K1_FE_VERIFY_MAGNITUDE(&a->z, SECP256K1_GEJ_Z_MAGNITUDE_MAX); 94 VERIFY_CHECK(a->infinity == 0 || a->infinity == 1); 95 (void)a; 96 } 97 98 /* Set r to the affine coordinates of Jacobian point (a.x, a.y, 1/zi). */ 99 static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) { 100 secp256k1_fe zi2; 101 secp256k1_fe zi3; 102 SECP256K1_GEJ_VERIFY(a); 103 SECP256K1_FE_VERIFY(zi); 104 VERIFY_CHECK(!a->infinity); 105 106 secp256k1_fe_sqr(&zi2, zi); 107 secp256k1_fe_mul(&zi3, &zi2, zi); 108 secp256k1_fe_mul(&r->x, &a->x, &zi2); 109 secp256k1_fe_mul(&r->y, &a->y, &zi3); 110 r->infinity = a->infinity; 111 112 SECP256K1_GE_VERIFY(r); 113 } 114 115 /* Set r to the affine coordinates of Jacobian point (a.x, a.y, 1/zi). */ 116 static void secp256k1_ge_set_ge_zinv(secp256k1_ge *r, const secp256k1_ge *a, const secp256k1_fe *zi) { 117 secp256k1_fe zi2; 118 secp256k1_fe zi3; 119 SECP256K1_GE_VERIFY(a); 120 SECP256K1_FE_VERIFY(zi); 121 VERIFY_CHECK(!a->infinity); 122 123 secp256k1_fe_sqr(&zi2, zi); 124 secp256k1_fe_mul(&zi3, &zi2, zi); 125 secp256k1_fe_mul(&r->x, &a->x, &zi2); 126 secp256k1_fe_mul(&r->y, &a->y, &zi3); 127 r->infinity = a->infinity; 128 129 SECP256K1_GE_VERIFY(r); 130 } 131 132 static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y) { 133 SECP256K1_FE_VERIFY(x); 134 SECP256K1_FE_VERIFY(y); 135 136 r->infinity = 0; 137 r->x = *x; 138 r->y = *y; 139 140 SECP256K1_GE_VERIFY(r); 141 } 142 143 static int secp256k1_ge_is_infinity(const secp256k1_ge *a) { 144 SECP256K1_GE_VERIFY(a); 145 146 return a->infinity; 147 } 148 149 static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a) { 150 SECP256K1_GE_VERIFY(a); 151 152 *r = *a; 153 secp256k1_fe_normalize_weak(&r->y); 154 secp256k1_fe_negate(&r->y, &r->y, 1); 155 156 SECP256K1_GE_VERIFY(r); 157 } 158 159 static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a) { 160 secp256k1_fe z2, z3; 161 SECP256K1_GEJ_VERIFY(a); 162 163 r->infinity = a->infinity; 164 secp256k1_fe_inv(&a->z, &a->z); 165 secp256k1_fe_sqr(&z2, &a->z); 166 secp256k1_fe_mul(&z3, &a->z, &z2); 167 secp256k1_fe_mul(&a->x, &a->x, &z2); 168 secp256k1_fe_mul(&a->y, &a->y, &z3); 169 secp256k1_fe_set_int(&a->z, 1); 170 r->x = a->x; 171 r->y = a->y; 172 173 SECP256K1_GEJ_VERIFY(a); 174 SECP256K1_GE_VERIFY(r); 175 } 176 177 static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a) { 178 secp256k1_fe z2, z3; 179 SECP256K1_GEJ_VERIFY(a); 180 181 if (secp256k1_gej_is_infinity(a)) { 182 secp256k1_ge_set_infinity(r); 183 return; 184 } 185 r->infinity = 0; 186 secp256k1_fe_inv_var(&a->z, &a->z); 187 secp256k1_fe_sqr(&z2, &a->z); 188 secp256k1_fe_mul(&z3, &a->z, &z2); 189 secp256k1_fe_mul(&a->x, &a->x, &z2); 190 secp256k1_fe_mul(&a->y, &a->y, &z3); 191 secp256k1_fe_set_int(&a->z, 1); 192 secp256k1_ge_set_xy(r, &a->x, &a->y); 193 194 SECP256K1_GEJ_VERIFY(a); 195 SECP256K1_GE_VERIFY(r); 196 } 197 198 static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len) { 199 secp256k1_fe u; 200 size_t i; 201 size_t last_i = SIZE_MAX; 202 #ifdef VERIFY 203 for (i = 0; i < len; i++) { 204 SECP256K1_GEJ_VERIFY(&a[i]); 205 } 206 #endif 207 208 for (i = 0; i < len; i++) { 209 if (a[i].infinity) { 210 secp256k1_ge_set_infinity(&r[i]); 211 } else { 212 /* Use destination's x coordinates as scratch space */ 213 if (last_i == SIZE_MAX) { 214 r[i].x = a[i].z; 215 } else { 216 secp256k1_fe_mul(&r[i].x, &r[last_i].x, &a[i].z); 217 } 218 last_i = i; 219 } 220 } 221 if (last_i == SIZE_MAX) { 222 return; 223 } 224 secp256k1_fe_inv_var(&u, &r[last_i].x); 225 226 i = last_i; 227 while (i > 0) { 228 i--; 229 if (!a[i].infinity) { 230 secp256k1_fe_mul(&r[last_i].x, &r[i].x, &u); 231 secp256k1_fe_mul(&u, &u, &a[last_i].z); 232 last_i = i; 233 } 234 } 235 VERIFY_CHECK(!a[last_i].infinity); 236 r[last_i].x = u; 237 238 for (i = 0; i < len; i++) { 239 if (!a[i].infinity) { 240 secp256k1_ge_set_gej_zinv(&r[i], &a[i], &r[i].x); 241 } 242 } 243 244 #ifdef VERIFY 245 for (i = 0; i < len; i++) { 246 SECP256K1_GE_VERIFY(&r[i]); 247 } 248 #endif 249 } 250 251 static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const secp256k1_fe *zr) { 252 size_t i; 253 secp256k1_fe zs; 254 #ifdef VERIFY 255 for (i = 0; i < len; i++) { 256 SECP256K1_GE_VERIFY(&a[i]); 257 SECP256K1_FE_VERIFY(&zr[i]); 258 } 259 #endif 260 261 if (len > 0) { 262 i = len - 1; 263 /* Ensure all y values are in weak normal form for fast negation of points */ 264 secp256k1_fe_normalize_weak(&a[i].y); 265 zs = zr[i]; 266 267 /* Work our way backwards, using the z-ratios to scale the x/y values. */ 268 while (i > 0) { 269 if (i != len - 1) { 270 secp256k1_fe_mul(&zs, &zs, &zr[i]); 271 } 272 i--; 273 secp256k1_ge_set_ge_zinv(&a[i], &a[i], &zs); 274 } 275 } 276 277 #ifdef VERIFY 278 for (i = 0; i < len; i++) { 279 SECP256K1_GE_VERIFY(&a[i]); 280 } 281 #endif 282 } 283 284 static void secp256k1_gej_set_infinity(secp256k1_gej *r) { 285 r->infinity = 1; 286 secp256k1_fe_set_int(&r->x, 0); 287 secp256k1_fe_set_int(&r->y, 0); 288 secp256k1_fe_set_int(&r->z, 0); 289 290 SECP256K1_GEJ_VERIFY(r); 291 } 292 293 static void secp256k1_ge_set_infinity(secp256k1_ge *r) { 294 r->infinity = 1; 295 secp256k1_fe_set_int(&r->x, 0); 296 secp256k1_fe_set_int(&r->y, 0); 297 298 SECP256K1_GE_VERIFY(r); 299 } 300 301 static void secp256k1_gej_clear(secp256k1_gej *r) { 302 secp256k1_memclear(r, sizeof(secp256k1_gej)); 303 } 304 305 static void secp256k1_ge_clear(secp256k1_ge *r) { 306 secp256k1_memclear(r, sizeof(secp256k1_ge)); 307 } 308 309 static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) { 310 secp256k1_fe x2, x3; 311 int ret; 312 SECP256K1_FE_VERIFY(x); 313 314 r->x = *x; 315 secp256k1_fe_sqr(&x2, x); 316 secp256k1_fe_mul(&x3, x, &x2); 317 r->infinity = 0; 318 secp256k1_fe_add_int(&x3, SECP256K1_B); 319 ret = secp256k1_fe_sqrt(&r->y, &x3); 320 secp256k1_fe_normalize_var(&r->y); 321 if (secp256k1_fe_is_odd(&r->y) != odd) { 322 secp256k1_fe_negate(&r->y, &r->y, 1); 323 } 324 325 SECP256K1_GE_VERIFY(r); 326 return ret; 327 } 328 329 static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a) { 330 SECP256K1_GE_VERIFY(a); 331 332 r->infinity = a->infinity; 333 r->x = a->x; 334 r->y = a->y; 335 secp256k1_fe_set_int(&r->z, 1); 336 337 SECP256K1_GEJ_VERIFY(r); 338 } 339 340 static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b) { 341 secp256k1_gej tmp; 342 SECP256K1_GEJ_VERIFY(b); 343 SECP256K1_GEJ_VERIFY(a); 344 345 secp256k1_gej_neg(&tmp, a); 346 secp256k1_gej_add_var(&tmp, &tmp, b, NULL); 347 return secp256k1_gej_is_infinity(&tmp); 348 } 349 350 static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b) { 351 secp256k1_gej tmp; 352 SECP256K1_GEJ_VERIFY(a); 353 SECP256K1_GE_VERIFY(b); 354 355 secp256k1_gej_neg(&tmp, a); 356 secp256k1_gej_add_ge_var(&tmp, &tmp, b, NULL); 357 return secp256k1_gej_is_infinity(&tmp); 358 } 359 360 static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b) { 361 secp256k1_fe tmp; 362 SECP256K1_GE_VERIFY(a); 363 SECP256K1_GE_VERIFY(b); 364 365 if (a->infinity != b->infinity) return 0; 366 if (a->infinity) return 1; 367 368 tmp = a->x; 369 secp256k1_fe_normalize_weak(&tmp); 370 if (!secp256k1_fe_equal(&tmp, &b->x)) return 0; 371 372 tmp = a->y; 373 secp256k1_fe_normalize_weak(&tmp); 374 if (!secp256k1_fe_equal(&tmp, &b->y)) return 0; 375 376 return 1; 377 } 378 379 static int secp256k1_gej_eq_x_var(const secp256k1_fe *x, const secp256k1_gej *a) { 380 secp256k1_fe r; 381 SECP256K1_FE_VERIFY(x); 382 SECP256K1_GEJ_VERIFY(a); 383 VERIFY_CHECK(!a->infinity); 384 385 secp256k1_fe_sqr(&r, &a->z); secp256k1_fe_mul(&r, &r, x); 386 return secp256k1_fe_equal(&r, &a->x); 387 } 388 389 static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a) { 390 SECP256K1_GEJ_VERIFY(a); 391 392 r->infinity = a->infinity; 393 r->x = a->x; 394 r->y = a->y; 395 r->z = a->z; 396 secp256k1_fe_normalize_weak(&r->y); 397 secp256k1_fe_negate(&r->y, &r->y, 1); 398 399 SECP256K1_GEJ_VERIFY(r); 400 } 401 402 static int secp256k1_gej_is_infinity(const secp256k1_gej *a) { 403 SECP256K1_GEJ_VERIFY(a); 404 405 return a->infinity; 406 } 407 408 static int secp256k1_ge_is_valid_var(const secp256k1_ge *a) { 409 secp256k1_fe y2, x3; 410 SECP256K1_GE_VERIFY(a); 411 412 if (a->infinity) { 413 return 0; 414 } 415 /* y^2 = x^3 + 7 */ 416 secp256k1_fe_sqr(&y2, &a->y); 417 secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x); 418 secp256k1_fe_add_int(&x3, SECP256K1_B); 419 return secp256k1_fe_equal(&y2, &x3); 420 } 421 422 static SECP256K1_INLINE void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a) { 423 /* Operations: 3 mul, 4 sqr, 8 add/half/mul_int/negate */ 424 secp256k1_fe l, s, t; 425 SECP256K1_GEJ_VERIFY(a); 426 427 r->infinity = a->infinity; 428 429 /* Formula used: 430 * L = (3/2) * X1^2 431 * S = Y1^2 432 * T = -X1*S 433 * X3 = L^2 + 2*T 434 * Y3 = -(L*(X3 + T) + S^2) 435 * Z3 = Y1*Z1 436 */ 437 438 secp256k1_fe_mul(&r->z, &a->z, &a->y); /* Z3 = Y1*Z1 (1) */ 439 secp256k1_fe_sqr(&s, &a->y); /* S = Y1^2 (1) */ 440 secp256k1_fe_sqr(&l, &a->x); /* L = X1^2 (1) */ 441 secp256k1_fe_mul_int(&l, 3); /* L = 3*X1^2 (3) */ 442 secp256k1_fe_half(&l); /* L = 3/2*X1^2 (2) */ 443 secp256k1_fe_negate(&t, &s, 1); /* T = -S (2) */ 444 secp256k1_fe_mul(&t, &t, &a->x); /* T = -X1*S (1) */ 445 secp256k1_fe_sqr(&r->x, &l); /* X3 = L^2 (1) */ 446 secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + T (2) */ 447 secp256k1_fe_add(&r->x, &t); /* X3 = L^2 + 2*T (3) */ 448 secp256k1_fe_sqr(&s, &s); /* S' = S^2 (1) */ 449 secp256k1_fe_add(&t, &r->x); /* T' = X3 + T (4) */ 450 secp256k1_fe_mul(&r->y, &t, &l); /* Y3 = L*(X3 + T) (1) */ 451 secp256k1_fe_add(&r->y, &s); /* Y3 = L*(X3 + T) + S^2 (2) */ 452 secp256k1_fe_negate(&r->y, &r->y, 2); /* Y3 = -(L*(X3 + T) + S^2) (3) */ 453 454 SECP256K1_GEJ_VERIFY(r); 455 } 456 457 static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) { 458 SECP256K1_GEJ_VERIFY(a); 459 460 /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity, 461 * Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have 462 * y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p. 463 * 464 * Having said this, if this function receives a point on a sextic twist, e.g. by 465 * a fault attack, it is possible for y to be 0. This happens for y^2 = x^3 + 6, 466 * since -6 does have a cube root mod p. For this point, this function will not set 467 * the infinity flag even though the point doubles to infinity, and the result 468 * point will be gibberish (z = 0 but infinity = 0). 469 */ 470 if (a->infinity) { 471 secp256k1_gej_set_infinity(r); 472 if (rzr != NULL) { 473 secp256k1_fe_set_int(rzr, 1); 474 } 475 return; 476 } 477 478 if (rzr != NULL) { 479 *rzr = a->y; 480 secp256k1_fe_normalize_weak(rzr); 481 } 482 483 secp256k1_gej_double(r, a); 484 485 SECP256K1_GEJ_VERIFY(r); 486 } 487 488 static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr) { 489 /* 12 mul, 4 sqr, 11 add/negate/normalizes_to_zero (ignoring special cases) */ 490 secp256k1_fe z22, z12, u1, u2, s1, s2, h, i, h2, h3, t; 491 SECP256K1_GEJ_VERIFY(a); 492 SECP256K1_GEJ_VERIFY(b); 493 494 if (a->infinity) { 495 VERIFY_CHECK(rzr == NULL); 496 *r = *b; 497 return; 498 } 499 if (b->infinity) { 500 if (rzr != NULL) { 501 secp256k1_fe_set_int(rzr, 1); 502 } 503 *r = *a; 504 return; 505 } 506 507 secp256k1_fe_sqr(&z22, &b->z); 508 secp256k1_fe_sqr(&z12, &a->z); 509 secp256k1_fe_mul(&u1, &a->x, &z22); 510 secp256k1_fe_mul(&u2, &b->x, &z12); 511 secp256k1_fe_mul(&s1, &a->y, &z22); secp256k1_fe_mul(&s1, &s1, &b->z); 512 secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z); 513 secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2); 514 secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1); 515 if (secp256k1_fe_normalizes_to_zero_var(&h)) { 516 if (secp256k1_fe_normalizes_to_zero_var(&i)) { 517 secp256k1_gej_double_var(r, a, rzr); 518 } else { 519 if (rzr != NULL) { 520 secp256k1_fe_set_int(rzr, 0); 521 } 522 secp256k1_gej_set_infinity(r); 523 } 524 return; 525 } 526 527 r->infinity = 0; 528 secp256k1_fe_mul(&t, &h, &b->z); 529 if (rzr != NULL) { 530 *rzr = t; 531 } 532 secp256k1_fe_mul(&r->z, &a->z, &t); 533 534 secp256k1_fe_sqr(&h2, &h); 535 secp256k1_fe_negate(&h2, &h2, 1); 536 secp256k1_fe_mul(&h3, &h2, &h); 537 secp256k1_fe_mul(&t, &u1, &h2); 538 539 secp256k1_fe_sqr(&r->x, &i); 540 secp256k1_fe_add(&r->x, &h3); 541 secp256k1_fe_add(&r->x, &t); 542 secp256k1_fe_add(&r->x, &t); 543 544 secp256k1_fe_add(&t, &r->x); 545 secp256k1_fe_mul(&r->y, &t, &i); 546 secp256k1_fe_mul(&h3, &h3, &s1); 547 secp256k1_fe_add(&r->y, &h3); 548 549 SECP256K1_GEJ_VERIFY(r); 550 } 551 552 static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr) { 553 /* Operations: 8 mul, 3 sqr, 11 add/negate/normalizes_to_zero (ignoring special cases) */ 554 secp256k1_fe z12, u1, u2, s1, s2, h, i, h2, h3, t; 555 SECP256K1_GEJ_VERIFY(a); 556 SECP256K1_GE_VERIFY(b); 557 558 if (a->infinity) { 559 VERIFY_CHECK(rzr == NULL); 560 secp256k1_gej_set_ge(r, b); 561 return; 562 } 563 if (b->infinity) { 564 if (rzr != NULL) { 565 secp256k1_fe_set_int(rzr, 1); 566 } 567 *r = *a; 568 return; 569 } 570 571 secp256k1_fe_sqr(&z12, &a->z); 572 u1 = a->x; 573 secp256k1_fe_mul(&u2, &b->x, &z12); 574 s1 = a->y; 575 secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z); 576 secp256k1_fe_negate(&h, &u1, SECP256K1_GEJ_X_MAGNITUDE_MAX); secp256k1_fe_add(&h, &u2); 577 secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1); 578 if (secp256k1_fe_normalizes_to_zero_var(&h)) { 579 if (secp256k1_fe_normalizes_to_zero_var(&i)) { 580 secp256k1_gej_double_var(r, a, rzr); 581 } else { 582 if (rzr != NULL) { 583 secp256k1_fe_set_int(rzr, 0); 584 } 585 secp256k1_gej_set_infinity(r); 586 } 587 return; 588 } 589 590 r->infinity = 0; 591 if (rzr != NULL) { 592 *rzr = h; 593 } 594 secp256k1_fe_mul(&r->z, &a->z, &h); 595 596 secp256k1_fe_sqr(&h2, &h); 597 secp256k1_fe_negate(&h2, &h2, 1); 598 secp256k1_fe_mul(&h3, &h2, &h); 599 secp256k1_fe_mul(&t, &u1, &h2); 600 601 secp256k1_fe_sqr(&r->x, &i); 602 secp256k1_fe_add(&r->x, &h3); 603 secp256k1_fe_add(&r->x, &t); 604 secp256k1_fe_add(&r->x, &t); 605 606 secp256k1_fe_add(&t, &r->x); 607 secp256k1_fe_mul(&r->y, &t, &i); 608 secp256k1_fe_mul(&h3, &h3, &s1); 609 secp256k1_fe_add(&r->y, &h3); 610 611 SECP256K1_GEJ_VERIFY(r); 612 if (rzr != NULL) SECP256K1_FE_VERIFY(rzr); 613 } 614 615 static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv) { 616 /* Operations: 9 mul, 3 sqr, 11 add/negate/normalizes_to_zero (ignoring special cases) */ 617 secp256k1_fe az, z12, u1, u2, s1, s2, h, i, h2, h3, t; 618 SECP256K1_GEJ_VERIFY(a); 619 SECP256K1_GE_VERIFY(b); 620 SECP256K1_FE_VERIFY(bzinv); 621 622 if (a->infinity) { 623 secp256k1_fe bzinv2, bzinv3; 624 r->infinity = b->infinity; 625 secp256k1_fe_sqr(&bzinv2, bzinv); 626 secp256k1_fe_mul(&bzinv3, &bzinv2, bzinv); 627 secp256k1_fe_mul(&r->x, &b->x, &bzinv2); 628 secp256k1_fe_mul(&r->y, &b->y, &bzinv3); 629 secp256k1_fe_set_int(&r->z, 1); 630 SECP256K1_GEJ_VERIFY(r); 631 return; 632 } 633 if (b->infinity) { 634 *r = *a; 635 return; 636 } 637 638 /** We need to calculate (rx,ry,rz) = (ax,ay,az) + (bx,by,1/bzinv). Due to 639 * secp256k1's isomorphism we can multiply the Z coordinates on both sides 640 * by bzinv, and get: (rx,ry,rz*bzinv) = (ax,ay,az*bzinv) + (bx,by,1). 641 * This means that (rx,ry,rz) can be calculated as 642 * (ax,ay,az*bzinv) + (bx,by,1), when not applying the bzinv factor to rz. 643 * The variable az below holds the modified Z coordinate for a, which is used 644 * for the computation of rx and ry, but not for rz. 645 */ 646 secp256k1_fe_mul(&az, &a->z, bzinv); 647 648 secp256k1_fe_sqr(&z12, &az); 649 u1 = a->x; 650 secp256k1_fe_mul(&u2, &b->x, &z12); 651 s1 = a->y; 652 secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &az); 653 secp256k1_fe_negate(&h, &u1, SECP256K1_GEJ_X_MAGNITUDE_MAX); secp256k1_fe_add(&h, &u2); 654 secp256k1_fe_negate(&i, &s2, 1); secp256k1_fe_add(&i, &s1); 655 if (secp256k1_fe_normalizes_to_zero_var(&h)) { 656 if (secp256k1_fe_normalizes_to_zero_var(&i)) { 657 secp256k1_gej_double_var(r, a, NULL); 658 } else { 659 secp256k1_gej_set_infinity(r); 660 } 661 return; 662 } 663 664 r->infinity = 0; 665 secp256k1_fe_mul(&r->z, &a->z, &h); 666 667 secp256k1_fe_sqr(&h2, &h); 668 secp256k1_fe_negate(&h2, &h2, 1); 669 secp256k1_fe_mul(&h3, &h2, &h); 670 secp256k1_fe_mul(&t, &u1, &h2); 671 672 secp256k1_fe_sqr(&r->x, &i); 673 secp256k1_fe_add(&r->x, &h3); 674 secp256k1_fe_add(&r->x, &t); 675 secp256k1_fe_add(&r->x, &t); 676 677 secp256k1_fe_add(&t, &r->x); 678 secp256k1_fe_mul(&r->y, &t, &i); 679 secp256k1_fe_mul(&h3, &h3, &s1); 680 secp256k1_fe_add(&r->y, &h3); 681 682 SECP256K1_GEJ_VERIFY(r); 683 } 684 685 686 static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b) { 687 /* Operations: 7 mul, 5 sqr, 21 add/cmov/half/mul_int/negate/normalizes_to_zero */ 688 secp256k1_fe zz, u1, u2, s1, s2, t, tt, m, n, q, rr; 689 secp256k1_fe m_alt, rr_alt; 690 int degenerate; 691 SECP256K1_GEJ_VERIFY(a); 692 SECP256K1_GE_VERIFY(b); 693 VERIFY_CHECK(!b->infinity); 694 695 /* In: 696 * Eric Brier and Marc Joye, Weierstrass Elliptic Curves and Side-Channel Attacks. 697 * In D. Naccache and P. Paillier, Eds., Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pages 335-345. Springer-Verlag, 2002. 698 * we find as solution for a unified addition/doubling formula: 699 * lambda = ((x1 + x2)^2 - x1 * x2 + a) / (y1 + y2), with a = 0 for secp256k1's curve equation. 700 * x3 = lambda^2 - (x1 + x2) 701 * 2*y3 = lambda * (x1 + x2 - 2 * x3) - (y1 + y2). 702 * 703 * Substituting x_i = Xi / Zi^2 and yi = Yi / Zi^3, for i=1,2,3, gives: 704 * U1 = X1*Z2^2, U2 = X2*Z1^2 705 * S1 = Y1*Z2^3, S2 = Y2*Z1^3 706 * Z = Z1*Z2 707 * T = U1+U2 708 * M = S1+S2 709 * Q = -T*M^2 710 * R = T^2-U1*U2 711 * X3 = R^2+Q 712 * Y3 = -(R*(2*X3+Q)+M^4)/2 713 * Z3 = M*Z 714 * (Note that the paper uses xi = Xi / Zi and yi = Yi / Zi instead.) 715 * 716 * This formula has the benefit of being the same for both addition 717 * of distinct points and doubling. However, it breaks down in the 718 * case that either point is infinity, or that y1 = -y2. We handle 719 * these cases in the following ways: 720 * 721 * - If b is infinity we simply bail by means of a VERIFY_CHECK. 722 * 723 * - If a is infinity, we detect this, and at the end of the 724 * computation replace the result (which will be meaningless, 725 * but we compute to be constant-time) with b.x : b.y : 1. 726 * 727 * - If a = -b, we have y1 = -y2, which is a degenerate case. 728 * But here the answer is infinity, so we simply set the 729 * infinity flag of the result, overriding the computed values 730 * without even needing to cmov. 731 * 732 * - If y1 = -y2 but x1 != x2, which does occur thanks to certain 733 * properties of our curve (specifically, 1 has nontrivial cube 734 * roots in our field, and the curve equation has no x coefficient) 735 * then the answer is not infinity but also not given by the above 736 * equation. In this case, we cmov in place an alternate expression 737 * for lambda. Specifically (y1 - y2)/(x1 - x2). Where both these 738 * expressions for lambda are defined, they are equal, and can be 739 * obtained from each other by multiplication by (y1 + y2)/(y1 + y2) 740 * then substitution of x^3 + 7 for y^2 (using the curve equation). 741 * For all pairs of nonzero points (a, b) at least one is defined, 742 * so this covers everything. 743 */ 744 745 secp256k1_fe_sqr(&zz, &a->z); /* z = Z1^2 */ 746 u1 = a->x; /* u1 = U1 = X1*Z2^2 (GEJ_X_M) */ 747 secp256k1_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */ 748 s1 = a->y; /* s1 = S1 = Y1*Z2^3 (GEJ_Y_M) */ 749 secp256k1_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z1^2 (1) */ 750 secp256k1_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */ 751 t = u1; secp256k1_fe_add(&t, &u2); /* t = T = U1+U2 (GEJ_X_M+1) */ 752 m = s1; secp256k1_fe_add(&m, &s2); /* m = M = S1+S2 (GEJ_Y_M+1) */ 753 secp256k1_fe_sqr(&rr, &t); /* rr = T^2 (1) */ 754 secp256k1_fe_negate(&m_alt, &u2, 1); /* Malt = -X2*Z1^2 (2) */ 755 secp256k1_fe_mul(&tt, &u1, &m_alt); /* tt = -U1*U2 (1) */ 756 secp256k1_fe_add(&rr, &tt); /* rr = R = T^2-U1*U2 (2) */ 757 /* If lambda = R/M = R/0 we have a problem (except in the "trivial" 758 * case that Z = z1z2 = 0, and this is special-cased later on). */ 759 degenerate = secp256k1_fe_normalizes_to_zero(&m); 760 /* This only occurs when y1 == -y2 and x1^3 == x2^3, but x1 != x2. 761 * This means either x1 == beta*x2 or beta*x1 == x2, where beta is 762 * a nontrivial cube root of one. In either case, an alternate 763 * non-indeterminate expression for lambda is (y1 - y2)/(x1 - x2), 764 * so we set R/M equal to this. */ 765 rr_alt = s1; 766 secp256k1_fe_mul_int(&rr_alt, 2); /* rr_alt = Y1*Z2^3 - Y2*Z1^3 (GEJ_Y_M*2) */ 767 secp256k1_fe_add(&m_alt, &u1); /* Malt = X1*Z2^2 - X2*Z1^2 (GEJ_X_M+2) */ 768 769 secp256k1_fe_cmov(&rr_alt, &rr, !degenerate); /* rr_alt (GEJ_Y_M*2) */ 770 secp256k1_fe_cmov(&m_alt, &m, !degenerate); /* m_alt (GEJ_X_M+2) */ 771 /* Now Ralt / Malt = lambda and is guaranteed not to be Ralt / 0. 772 * From here on out Ralt and Malt represent the numerator 773 * and denominator of lambda; R and M represent the explicit 774 * expressions x1^2 + x2^2 + x1x2 and y1 + y2. */ 775 secp256k1_fe_sqr(&n, &m_alt); /* n = Malt^2 (1) */ 776 secp256k1_fe_negate(&q, &t, 777 SECP256K1_GEJ_X_MAGNITUDE_MAX + 1); /* q = -T (GEJ_X_M+2) */ 778 secp256k1_fe_mul(&q, &q, &n); /* q = Q = -T*Malt^2 (1) */ 779 /* These two lines use the observation that either M == Malt or M == 0, 780 * so M^3 * Malt is either Malt^4 (which is computed by squaring), or 781 * zero (which is "computed" by cmov). So the cost is one squaring 782 * versus two multiplications. */ 783 secp256k1_fe_sqr(&n, &n); /* n = Malt^4 (1) */ 784 secp256k1_fe_cmov(&n, &m, degenerate); /* n = M^3 * Malt (GEJ_Y_M+1) */ 785 secp256k1_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */ 786 secp256k1_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Z3 = Malt*Z (1) */ 787 secp256k1_fe_add(&t, &q); /* t = Ralt^2 + Q (2) */ 788 r->x = t; /* r->x = X3 = Ralt^2 + Q (2) */ 789 secp256k1_fe_mul_int(&t, 2); /* t = 2*X3 (4) */ 790 secp256k1_fe_add(&t, &q); /* t = 2*X3 + Q (5) */ 791 secp256k1_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*X3 + Q) (1) */ 792 secp256k1_fe_add(&t, &n); /* t = Ralt*(2*X3 + Q) + M^3*Malt (GEJ_Y_M+2) */ 793 secp256k1_fe_negate(&r->y, &t, 794 SECP256K1_GEJ_Y_MAGNITUDE_MAX + 2); /* r->y = -(Ralt*(2*X3 + Q) + M^3*Malt) (GEJ_Y_M+3) */ 795 secp256k1_fe_half(&r->y); /* r->y = Y3 = -(Ralt*(2*X3 + Q) + M^3*Malt)/2 ((GEJ_Y_M+3)/2 + 1) */ 796 797 /* In case a->infinity == 1, replace r with (b->x, b->y, 1). */ 798 secp256k1_fe_cmov(&r->x, &b->x, a->infinity); 799 secp256k1_fe_cmov(&r->y, &b->y, a->infinity); 800 secp256k1_fe_cmov(&r->z, &secp256k1_fe_one, a->infinity); 801 802 /* Set r->infinity if r->z is 0. 803 * 804 * If a->infinity is set, then r->infinity = (r->z == 0) = (1 == 0) = false, 805 * which is correct because the function assumes that b is not infinity. 806 * 807 * Now assume !a->infinity. This implies Z = Z1 != 0. 808 * 809 * Case y1 = -y2: 810 * In this case we could have a = -b, namely if x1 = x2. 811 * We have degenerate = true, r->z = (x1 - x2) * Z. 812 * Then r->infinity = ((x1 - x2)Z == 0) = (x1 == x2) = (a == -b). 813 * 814 * Case y1 != -y2: 815 * In this case, we can't have a = -b. 816 * We have degenerate = false, r->z = (y1 + y2) * Z. 817 * Then r->infinity = ((y1 + y2)Z == 0) = (y1 == -y2) = false. */ 818 r->infinity = secp256k1_fe_normalizes_to_zero(&r->z); 819 820 SECP256K1_GEJ_VERIFY(r); 821 } 822 823 static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *s) { 824 /* Operations: 4 mul, 1 sqr */ 825 secp256k1_fe zz; 826 SECP256K1_GEJ_VERIFY(r); 827 SECP256K1_FE_VERIFY(s); 828 VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero_var(s)); 829 830 secp256k1_fe_sqr(&zz, s); 831 secp256k1_fe_mul(&r->x, &r->x, &zz); /* r->x *= s^2 */ 832 secp256k1_fe_mul(&r->y, &r->y, &zz); 833 secp256k1_fe_mul(&r->y, &r->y, s); /* r->y *= s^3 */ 834 secp256k1_fe_mul(&r->z, &r->z, s); /* r->z *= s */ 835 836 SECP256K1_GEJ_VERIFY(r); 837 } 838 839 static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a) { 840 secp256k1_fe x, y; 841 SECP256K1_GE_VERIFY(a); 842 VERIFY_CHECK(!a->infinity); 843 844 x = a->x; 845 secp256k1_fe_normalize(&x); 846 y = a->y; 847 secp256k1_fe_normalize(&y); 848 secp256k1_fe_to_storage(&r->x, &x); 849 secp256k1_fe_to_storage(&r->y, &y); 850 } 851 852 static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a) { 853 secp256k1_fe_from_storage(&r->x, &a->x); 854 secp256k1_fe_from_storage(&r->y, &a->y); 855 r->infinity = 0; 856 857 SECP256K1_GE_VERIFY(r); 858 } 859 860 static SECP256K1_INLINE void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag) { 861 SECP256K1_GEJ_VERIFY(r); 862 SECP256K1_GEJ_VERIFY(a); 863 864 secp256k1_fe_cmov(&r->x, &a->x, flag); 865 secp256k1_fe_cmov(&r->y, &a->y, flag); 866 secp256k1_fe_cmov(&r->z, &a->z, flag); 867 r->infinity ^= (r->infinity ^ a->infinity) & flag; 868 869 SECP256K1_GEJ_VERIFY(r); 870 } 871 872 static SECP256K1_INLINE void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag) { 873 secp256k1_fe_storage_cmov(&r->x, &a->x, flag); 874 secp256k1_fe_storage_cmov(&r->y, &a->y, flag); 875 } 876 877 static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a) { 878 SECP256K1_GE_VERIFY(a); 879 880 *r = *a; 881 secp256k1_fe_mul(&r->x, &r->x, &secp256k1_const_beta); 882 883 SECP256K1_GE_VERIFY(r); 884 } 885 886 static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge) { 887 #ifdef EXHAUSTIVE_TEST_ORDER 888 secp256k1_gej out; 889 int i; 890 SECP256K1_GE_VERIFY(ge); 891 892 /* A very simple EC multiplication ladder that avoids a dependency on ecmult. */ 893 secp256k1_gej_set_infinity(&out); 894 for (i = 0; i < 32; ++i) { 895 secp256k1_gej_double_var(&out, &out, NULL); 896 if ((((uint32_t)EXHAUSTIVE_TEST_ORDER) >> (31 - i)) & 1) { 897 secp256k1_gej_add_ge_var(&out, &out, ge, NULL); 898 } 899 } 900 return secp256k1_gej_is_infinity(&out); 901 #else 902 SECP256K1_GE_VERIFY(ge); 903 904 (void)ge; 905 /* The real secp256k1 group has cofactor 1, so the subgroup is the entire curve. */ 906 return 1; 907 #endif 908 } 909 910 static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x) { 911 secp256k1_fe c; 912 secp256k1_fe_sqr(&c, x); 913 secp256k1_fe_mul(&c, &c, x); 914 secp256k1_fe_add_int(&c, SECP256K1_B); 915 return secp256k1_fe_is_square_var(&c); 916 } 917 918 static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd) { 919 /* We want to determine whether (xn/xd) is on the curve. 920 * 921 * (xn/xd)^3 + 7 is square <=> xd*xn^3 + 7*xd^4 is square (multiplying by xd^4, a square). 922 */ 923 secp256k1_fe r, t; 924 VERIFY_CHECK(!secp256k1_fe_normalizes_to_zero_var(xd)); 925 926 secp256k1_fe_mul(&r, xd, xn); /* r = xd*xn */ 927 secp256k1_fe_sqr(&t, xn); /* t = xn^2 */ 928 secp256k1_fe_mul(&r, &r, &t); /* r = xd*xn^3 */ 929 secp256k1_fe_sqr(&t, xd); /* t = xd^2 */ 930 secp256k1_fe_sqr(&t, &t); /* t = xd^4 */ 931 VERIFY_CHECK(SECP256K1_B <= 31); 932 secp256k1_fe_mul_int(&t, SECP256K1_B); /* t = 7*xd^4 */ 933 secp256k1_fe_add(&r, &t); /* r = xd*xn^3 + 7*xd^4 */ 934 return secp256k1_fe_is_square_var(&r); 935 } 936 937 static void secp256k1_ge_to_bytes(unsigned char *buf, const secp256k1_ge *a) { 938 secp256k1_ge_storage s; 939 940 /* We require that the secp256k1_ge_storage type is exactly 64 bytes. 941 * This is formally not guaranteed by the C standard, but should hold on any 942 * sane compiler in the real world. */ 943 STATIC_ASSERT(sizeof(secp256k1_ge_storage) == 64); 944 VERIFY_CHECK(!secp256k1_ge_is_infinity(a)); 945 secp256k1_ge_to_storage(&s, a); 946 memcpy(buf, &s, 64); 947 } 948 949 static void secp256k1_ge_from_bytes(secp256k1_ge *r, const unsigned char *buf) { 950 secp256k1_ge_storage s; 951 952 STATIC_ASSERT(sizeof(secp256k1_ge_storage) == 64); 953 memcpy(&s, buf, 64); 954 secp256k1_ge_from_storage(r, &s); 955 } 956 957 static void secp256k1_ge_to_bytes_ext(unsigned char *data, const secp256k1_ge *ge) { 958 if (secp256k1_ge_is_infinity(ge)) { 959 memset(data, 0, 64); 960 } else { 961 secp256k1_ge_to_bytes(data, ge); 962 } 963 } 964 965 static void secp256k1_ge_from_bytes_ext(secp256k1_ge *ge, const unsigned char *data) { 966 static const unsigned char zeros[64] = { 0 }; 967 if (secp256k1_memcmp_var(data, zeros, sizeof(zeros)) == 0) { 968 secp256k1_ge_set_infinity(ge); 969 } else { 970 secp256k1_ge_from_bytes(ge, data); 971 } 972 } 973 974 #endif /* SECP256K1_GROUP_IMPL_H */