github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/scalar.h (about) 1 /*********************************************************************** 2 * Copyright (c) 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_SCALAR_H 8 #define SECP256K1_SCALAR_H 9 10 #include "util.h" 11 12 #if defined(EXHAUSTIVE_TEST_ORDER) 13 #include "scalar_low.h" 14 #elif defined(SECP256K1_WIDEMUL_INT128) 15 #include "scalar_4x64.h" 16 #elif defined(SECP256K1_WIDEMUL_INT64) 17 #include "scalar_8x32.h" 18 #else 19 #error "Please select wide multiplication implementation" 20 #endif 21 22 /** Clear a scalar to prevent the leak of sensitive data. */ 23 static void secp256k1_scalar_clear(secp256k1_scalar *r); 24 25 /** Access bits (1 < count <= 32) from a scalar. All requested bits must belong to the same 32-bit limb. */ 26 static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count); 27 28 /** Access bits (1 < count <= 32) from a scalar. offset + count must be < 256. Not constant time in offset and count. */ 29 static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count); 30 31 /** Set a scalar from a big endian byte array. The scalar will be reduced modulo group order `n`. 32 * In: bin: pointer to a 32-byte array. 33 * Out: r: scalar to be set. 34 * overflow: non-zero if the scalar was bigger or equal to `n` before reduction, zero otherwise (can be NULL). 35 */ 36 static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow); 37 38 /** Set a scalar from a big endian byte array and returns 1 if it is a valid 39 * seckey and 0 otherwise. */ 40 static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin); 41 42 /** Set a scalar to an unsigned integer. */ 43 static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v); 44 45 /** Convert a scalar to a byte array. */ 46 static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a); 47 48 /** Add two scalars together (modulo the group order). Returns whether it overflowed. */ 49 static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b); 50 51 /** Conditionally add a power of two to a scalar. The result is not allowed to overflow. */ 52 static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag); 53 54 /** Multiply two scalars (modulo the group order). */ 55 static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b); 56 57 /** Compute the inverse of a scalar (modulo the group order). */ 58 static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a); 59 60 /** Compute the inverse of a scalar (modulo the group order), without constant-time guarantee. */ 61 static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a); 62 63 /** Compute the complement of a scalar (modulo the group order). */ 64 static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a); 65 66 /** Multiply a scalar with the multiplicative inverse of 2. */ 67 static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a); 68 69 /** Check whether a scalar equals zero. */ 70 static int secp256k1_scalar_is_zero(const secp256k1_scalar *a); 71 72 /** Check whether a scalar equals one. */ 73 static int secp256k1_scalar_is_one(const secp256k1_scalar *a); 74 75 /** Check whether a scalar, considered as an nonnegative integer, is even. */ 76 static int secp256k1_scalar_is_even(const secp256k1_scalar *a); 77 78 /** Check whether a scalar is higher than the group order divided by 2. */ 79 static int secp256k1_scalar_is_high(const secp256k1_scalar *a); 80 81 /** Conditionally negate a number, in constant time. 82 * Returns -1 if the number was negated, 1 otherwise */ 83 static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag); 84 85 /** Compare two scalars. */ 86 static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b); 87 88 /** Find r1 and r2 such that r1+r2*2^128 = k. */ 89 static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k); 90 /** Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their 91 * negations are maximum 128 bits long (see secp256k1_ge_mul_lambda). It is 92 * required that r1, r2, and k all point to different objects. */ 93 static void secp256k1_scalar_split_lambda(secp256k1_scalar * SECP256K1_RESTRICT r1, secp256k1_scalar * SECP256K1_RESTRICT r2, const secp256k1_scalar * SECP256K1_RESTRICT k); 94 95 /** Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer. Shift must be at least 256. */ 96 static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift); 97 98 /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. Both *r and *a must be initialized.*/ 99 static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag); 100 101 /** Check invariants on a scalar (no-op unless VERIFY is enabled). */ 102 static void secp256k1_scalar_verify(const secp256k1_scalar *r); 103 #define SECP256K1_SCALAR_VERIFY(r) secp256k1_scalar_verify(r) 104 105 #endif /* SECP256K1_SCALAR_H */