github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/scalar_8x32_impl.h (about) 1 /*********************************************************************** 2 * Copyright (c) 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #ifndef SECP256K1_SCALAR_REPR_IMPL_H 8 #define SECP256K1_SCALAR_REPR_IMPL_H 9 10 #include "checkmem.h" 11 #include "modinv32_impl.h" 12 #include "util.h" 13 14 /* Limbs of the secp256k1 order. */ 15 #define SECP256K1_N_0 ((uint32_t)0xD0364141UL) 16 #define SECP256K1_N_1 ((uint32_t)0xBFD25E8CUL) 17 #define SECP256K1_N_2 ((uint32_t)0xAF48A03BUL) 18 #define SECP256K1_N_3 ((uint32_t)0xBAAEDCE6UL) 19 #define SECP256K1_N_4 ((uint32_t)0xFFFFFFFEUL) 20 #define SECP256K1_N_5 ((uint32_t)0xFFFFFFFFUL) 21 #define SECP256K1_N_6 ((uint32_t)0xFFFFFFFFUL) 22 #define SECP256K1_N_7 ((uint32_t)0xFFFFFFFFUL) 23 24 /* Limbs of 2^256 minus the secp256k1 order. */ 25 #define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1) 26 #define SECP256K1_N_C_1 (~SECP256K1_N_1) 27 #define SECP256K1_N_C_2 (~SECP256K1_N_2) 28 #define SECP256K1_N_C_3 (~SECP256K1_N_3) 29 #define SECP256K1_N_C_4 (1) 30 31 /* Limbs of half the secp256k1 order. */ 32 #define SECP256K1_N_H_0 ((uint32_t)0x681B20A0UL) 33 #define SECP256K1_N_H_1 ((uint32_t)0xDFE92F46UL) 34 #define SECP256K1_N_H_2 ((uint32_t)0x57A4501DUL) 35 #define SECP256K1_N_H_3 ((uint32_t)0x5D576E73UL) 36 #define SECP256K1_N_H_4 ((uint32_t)0xFFFFFFFFUL) 37 #define SECP256K1_N_H_5 ((uint32_t)0xFFFFFFFFUL) 38 #define SECP256K1_N_H_6 ((uint32_t)0xFFFFFFFFUL) 39 #define SECP256K1_N_H_7 ((uint32_t)0x7FFFFFFFUL) 40 41 SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v) { 42 r->d[0] = v; 43 r->d[1] = 0; 44 r->d[2] = 0; 45 r->d[3] = 0; 46 r->d[4] = 0; 47 r->d[5] = 0; 48 r->d[6] = 0; 49 r->d[7] = 0; 50 51 SECP256K1_SCALAR_VERIFY(r); 52 } 53 54 SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { 55 SECP256K1_SCALAR_VERIFY(a); 56 VERIFY_CHECK(count > 0 && count <= 32); 57 VERIFY_CHECK((offset + count - 1) >> 5 == offset >> 5); 58 59 return (a->d[offset >> 5] >> (offset & 0x1F)) & (0xFFFFFFFF >> (32 - count)); 60 } 61 62 SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { 63 SECP256K1_SCALAR_VERIFY(a); 64 VERIFY_CHECK(count > 0 && count <= 32); 65 VERIFY_CHECK(offset + count <= 256); 66 67 if ((offset + count - 1) >> 5 == offset >> 5) { 68 return secp256k1_scalar_get_bits_limb32(a, offset, count); 69 } else { 70 VERIFY_CHECK((offset >> 5) + 1 < 8); 71 return ((a->d[offset >> 5] >> (offset & 0x1F)) | (a->d[(offset >> 5) + 1] << (32 - (offset & 0x1F)))) & (0xFFFFFFFF >> (32 - count)); 72 } 73 } 74 75 SECP256K1_INLINE static int secp256k1_scalar_check_overflow(const secp256k1_scalar *a) { 76 int yes = 0; 77 int no = 0; 78 no |= (a->d[7] < SECP256K1_N_7); /* No need for a > check. */ 79 no |= (a->d[6] < SECP256K1_N_6); /* No need for a > check. */ 80 no |= (a->d[5] < SECP256K1_N_5); /* No need for a > check. */ 81 no |= (a->d[4] < SECP256K1_N_4); 82 yes |= (a->d[4] > SECP256K1_N_4) & ~no; 83 no |= (a->d[3] < SECP256K1_N_3) & ~yes; 84 yes |= (a->d[3] > SECP256K1_N_3) & ~no; 85 no |= (a->d[2] < SECP256K1_N_2) & ~yes; 86 yes |= (a->d[2] > SECP256K1_N_2) & ~no; 87 no |= (a->d[1] < SECP256K1_N_1) & ~yes; 88 yes |= (a->d[1] > SECP256K1_N_1) & ~no; 89 yes |= (a->d[0] >= SECP256K1_N_0) & ~no; 90 return yes; 91 } 92 93 SECP256K1_INLINE static int secp256k1_scalar_reduce(secp256k1_scalar *r, uint32_t overflow) { 94 uint64_t t; 95 VERIFY_CHECK(overflow <= 1); 96 97 t = (uint64_t)r->d[0] + overflow * SECP256K1_N_C_0; 98 r->d[0] = t & 0xFFFFFFFFUL; t >>= 32; 99 t += (uint64_t)r->d[1] + overflow * SECP256K1_N_C_1; 100 r->d[1] = t & 0xFFFFFFFFUL; t >>= 32; 101 t += (uint64_t)r->d[2] + overflow * SECP256K1_N_C_2; 102 r->d[2] = t & 0xFFFFFFFFUL; t >>= 32; 103 t += (uint64_t)r->d[3] + overflow * SECP256K1_N_C_3; 104 r->d[3] = t & 0xFFFFFFFFUL; t >>= 32; 105 t += (uint64_t)r->d[4] + overflow * SECP256K1_N_C_4; 106 r->d[4] = t & 0xFFFFFFFFUL; t >>= 32; 107 t += (uint64_t)r->d[5]; 108 r->d[5] = t & 0xFFFFFFFFUL; t >>= 32; 109 t += (uint64_t)r->d[6]; 110 r->d[6] = t & 0xFFFFFFFFUL; t >>= 32; 111 t += (uint64_t)r->d[7]; 112 r->d[7] = t & 0xFFFFFFFFUL; 113 114 SECP256K1_SCALAR_VERIFY(r); 115 return overflow; 116 } 117 118 static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) { 119 int overflow; 120 uint64_t t = (uint64_t)a->d[0] + b->d[0]; 121 SECP256K1_SCALAR_VERIFY(a); 122 SECP256K1_SCALAR_VERIFY(b); 123 124 r->d[0] = t & 0xFFFFFFFFULL; t >>= 32; 125 t += (uint64_t)a->d[1] + b->d[1]; 126 r->d[1] = t & 0xFFFFFFFFULL; t >>= 32; 127 t += (uint64_t)a->d[2] + b->d[2]; 128 r->d[2] = t & 0xFFFFFFFFULL; t >>= 32; 129 t += (uint64_t)a->d[3] + b->d[3]; 130 r->d[3] = t & 0xFFFFFFFFULL; t >>= 32; 131 t += (uint64_t)a->d[4] + b->d[4]; 132 r->d[4] = t & 0xFFFFFFFFULL; t >>= 32; 133 t += (uint64_t)a->d[5] + b->d[5]; 134 r->d[5] = t & 0xFFFFFFFFULL; t >>= 32; 135 t += (uint64_t)a->d[6] + b->d[6]; 136 r->d[6] = t & 0xFFFFFFFFULL; t >>= 32; 137 t += (uint64_t)a->d[7] + b->d[7]; 138 r->d[7] = t & 0xFFFFFFFFULL; t >>= 32; 139 overflow = t + secp256k1_scalar_check_overflow(r); 140 VERIFY_CHECK(overflow == 0 || overflow == 1); 141 secp256k1_scalar_reduce(r, overflow); 142 143 SECP256K1_SCALAR_VERIFY(r); 144 return overflow; 145 } 146 147 static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag) { 148 uint64_t t; 149 volatile int vflag = flag; 150 SECP256K1_SCALAR_VERIFY(r); 151 VERIFY_CHECK(bit < 256); 152 153 bit += ((uint32_t) vflag - 1) & 0x100; /* forcing (bit >> 5) > 7 makes this a noop */ 154 t = (uint64_t)r->d[0] + (((uint32_t)((bit >> 5) == 0)) << (bit & 0x1F)); 155 r->d[0] = t & 0xFFFFFFFFULL; t >>= 32; 156 t += (uint64_t)r->d[1] + (((uint32_t)((bit >> 5) == 1)) << (bit & 0x1F)); 157 r->d[1] = t & 0xFFFFFFFFULL; t >>= 32; 158 t += (uint64_t)r->d[2] + (((uint32_t)((bit >> 5) == 2)) << (bit & 0x1F)); 159 r->d[2] = t & 0xFFFFFFFFULL; t >>= 32; 160 t += (uint64_t)r->d[3] + (((uint32_t)((bit >> 5) == 3)) << (bit & 0x1F)); 161 r->d[3] = t & 0xFFFFFFFFULL; t >>= 32; 162 t += (uint64_t)r->d[4] + (((uint32_t)((bit >> 5) == 4)) << (bit & 0x1F)); 163 r->d[4] = t & 0xFFFFFFFFULL; t >>= 32; 164 t += (uint64_t)r->d[5] + (((uint32_t)((bit >> 5) == 5)) << (bit & 0x1F)); 165 r->d[5] = t & 0xFFFFFFFFULL; t >>= 32; 166 t += (uint64_t)r->d[6] + (((uint32_t)((bit >> 5) == 6)) << (bit & 0x1F)); 167 r->d[6] = t & 0xFFFFFFFFULL; t >>= 32; 168 t += (uint64_t)r->d[7] + (((uint32_t)((bit >> 5) == 7)) << (bit & 0x1F)); 169 r->d[7] = t & 0xFFFFFFFFULL; 170 171 SECP256K1_SCALAR_VERIFY(r); 172 VERIFY_CHECK((t >> 32) == 0); 173 } 174 175 static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) { 176 int over; 177 r->d[0] = secp256k1_read_be32(&b32[28]); 178 r->d[1] = secp256k1_read_be32(&b32[24]); 179 r->d[2] = secp256k1_read_be32(&b32[20]); 180 r->d[3] = secp256k1_read_be32(&b32[16]); 181 r->d[4] = secp256k1_read_be32(&b32[12]); 182 r->d[5] = secp256k1_read_be32(&b32[8]); 183 r->d[6] = secp256k1_read_be32(&b32[4]); 184 r->d[7] = secp256k1_read_be32(&b32[0]); 185 over = secp256k1_scalar_reduce(r, secp256k1_scalar_check_overflow(r)); 186 if (overflow) { 187 *overflow = over; 188 } 189 190 SECP256K1_SCALAR_VERIFY(r); 191 } 192 193 static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a) { 194 SECP256K1_SCALAR_VERIFY(a); 195 196 secp256k1_write_be32(&bin[0], a->d[7]); 197 secp256k1_write_be32(&bin[4], a->d[6]); 198 secp256k1_write_be32(&bin[8], a->d[5]); 199 secp256k1_write_be32(&bin[12], a->d[4]); 200 secp256k1_write_be32(&bin[16], a->d[3]); 201 secp256k1_write_be32(&bin[20], a->d[2]); 202 secp256k1_write_be32(&bin[24], a->d[1]); 203 secp256k1_write_be32(&bin[28], a->d[0]); 204 } 205 206 SECP256K1_INLINE static int secp256k1_scalar_is_zero(const secp256k1_scalar *a) { 207 SECP256K1_SCALAR_VERIFY(a); 208 209 return (a->d[0] | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; 210 } 211 212 static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a) { 213 uint32_t nonzero = 0xFFFFFFFFUL * (secp256k1_scalar_is_zero(a) == 0); 214 uint64_t t = (uint64_t)(~a->d[0]) + SECP256K1_N_0 + 1; 215 SECP256K1_SCALAR_VERIFY(a); 216 217 r->d[0] = t & nonzero; t >>= 32; 218 t += (uint64_t)(~a->d[1]) + SECP256K1_N_1; 219 r->d[1] = t & nonzero; t >>= 32; 220 t += (uint64_t)(~a->d[2]) + SECP256K1_N_2; 221 r->d[2] = t & nonzero; t >>= 32; 222 t += (uint64_t)(~a->d[3]) + SECP256K1_N_3; 223 r->d[3] = t & nonzero; t >>= 32; 224 t += (uint64_t)(~a->d[4]) + SECP256K1_N_4; 225 r->d[4] = t & nonzero; t >>= 32; 226 t += (uint64_t)(~a->d[5]) + SECP256K1_N_5; 227 r->d[5] = t & nonzero; t >>= 32; 228 t += (uint64_t)(~a->d[6]) + SECP256K1_N_6; 229 r->d[6] = t & nonzero; t >>= 32; 230 t += (uint64_t)(~a->d[7]) + SECP256K1_N_7; 231 r->d[7] = t & nonzero; 232 233 SECP256K1_SCALAR_VERIFY(r); 234 } 235 236 static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a) { 237 /* Writing `/` for field division and `//` for integer division, we compute 238 * 239 * a/2 = (a - (a&1))/2 + (a&1)/2 240 * = (a >> 1) + (a&1 ? 1/2 : 0) 241 * = (a >> 1) + (a&1 ? n//2+1 : 0), 242 * 243 * where n is the group order and in the last equality we have used 1/2 = n//2+1 (mod n). 244 * For n//2, we have the constants SECP256K1_N_H_0, ... 245 * 246 * This sum does not overflow. The most extreme case is a = -2, the largest odd scalar. Here: 247 * - the left summand is: a >> 1 = (a - a&1)/2 = (n-2-1)//2 = (n-3)//2 248 * - the right summand is: a&1 ? n//2+1 : 0 = n//2+1 = (n-1)//2 + 2//2 = (n+1)//2 249 * Together they sum to (n-3)//2 + (n+1)//2 = (2n-2)//2 = n - 1, which is less than n. 250 */ 251 uint32_t mask = -(uint32_t)(a->d[0] & 1U); 252 uint64_t t = (uint32_t)((a->d[0] >> 1) | (a->d[1] << 31)); 253 SECP256K1_SCALAR_VERIFY(a); 254 255 t += (SECP256K1_N_H_0 + 1U) & mask; 256 r->d[0] = t; t >>= 32; 257 t += (uint32_t)((a->d[1] >> 1) | (a->d[2] << 31)); 258 t += SECP256K1_N_H_1 & mask; 259 r->d[1] = t; t >>= 32; 260 t += (uint32_t)((a->d[2] >> 1) | (a->d[3] << 31)); 261 t += SECP256K1_N_H_2 & mask; 262 r->d[2] = t; t >>= 32; 263 t += (uint32_t)((a->d[3] >> 1) | (a->d[4] << 31)); 264 t += SECP256K1_N_H_3 & mask; 265 r->d[3] = t; t >>= 32; 266 t += (uint32_t)((a->d[4] >> 1) | (a->d[5] << 31)); 267 t += SECP256K1_N_H_4 & mask; 268 r->d[4] = t; t >>= 32; 269 t += (uint32_t)((a->d[5] >> 1) | (a->d[6] << 31)); 270 t += SECP256K1_N_H_5 & mask; 271 r->d[5] = t; t >>= 32; 272 t += (uint32_t)((a->d[6] >> 1) | (a->d[7] << 31)); 273 t += SECP256K1_N_H_6 & mask; 274 r->d[6] = t; t >>= 32; 275 r->d[7] = (uint32_t)t + (uint32_t)(a->d[7] >> 1) + (SECP256K1_N_H_7 & mask); 276 277 /* The line above only computed the bottom 32 bits of r->d[7]. Redo the computation 278 * in full 64 bits to make sure the top 32 bits are indeed zero. */ 279 VERIFY_CHECK((t + (a->d[7] >> 1) + (SECP256K1_N_H_7 & mask)) >> 32 == 0); 280 281 SECP256K1_SCALAR_VERIFY(r); 282 } 283 284 SECP256K1_INLINE static int secp256k1_scalar_is_one(const secp256k1_scalar *a) { 285 SECP256K1_SCALAR_VERIFY(a); 286 287 return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; 288 } 289 290 static int secp256k1_scalar_is_high(const secp256k1_scalar *a) { 291 int yes = 0; 292 int no = 0; 293 SECP256K1_SCALAR_VERIFY(a); 294 295 no |= (a->d[7] < SECP256K1_N_H_7); 296 yes |= (a->d[7] > SECP256K1_N_H_7) & ~no; 297 no |= (a->d[6] < SECP256K1_N_H_6) & ~yes; /* No need for a > check. */ 298 no |= (a->d[5] < SECP256K1_N_H_5) & ~yes; /* No need for a > check. */ 299 no |= (a->d[4] < SECP256K1_N_H_4) & ~yes; /* No need for a > check. */ 300 no |= (a->d[3] < SECP256K1_N_H_3) & ~yes; 301 yes |= (a->d[3] > SECP256K1_N_H_3) & ~no; 302 no |= (a->d[2] < SECP256K1_N_H_2) & ~yes; 303 yes |= (a->d[2] > SECP256K1_N_H_2) & ~no; 304 no |= (a->d[1] < SECP256K1_N_H_1) & ~yes; 305 yes |= (a->d[1] > SECP256K1_N_H_1) & ~no; 306 yes |= (a->d[0] > SECP256K1_N_H_0) & ~no; 307 return yes; 308 } 309 310 static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) { 311 /* If we are flag = 0, mask = 00...00 and this is a no-op; 312 * if we are flag = 1, mask = 11...11 and this is identical to secp256k1_scalar_negate */ 313 volatile int vflag = flag; 314 uint32_t mask = -vflag; 315 uint32_t nonzero = 0xFFFFFFFFUL * (secp256k1_scalar_is_zero(r) == 0); 316 uint64_t t = (uint64_t)(r->d[0] ^ mask) + ((SECP256K1_N_0 + 1) & mask); 317 SECP256K1_SCALAR_VERIFY(r); 318 319 r->d[0] = t & nonzero; t >>= 32; 320 t += (uint64_t)(r->d[1] ^ mask) + (SECP256K1_N_1 & mask); 321 r->d[1] = t & nonzero; t >>= 32; 322 t += (uint64_t)(r->d[2] ^ mask) + (SECP256K1_N_2 & mask); 323 r->d[2] = t & nonzero; t >>= 32; 324 t += (uint64_t)(r->d[3] ^ mask) + (SECP256K1_N_3 & mask); 325 r->d[3] = t & nonzero; t >>= 32; 326 t += (uint64_t)(r->d[4] ^ mask) + (SECP256K1_N_4 & mask); 327 r->d[4] = t & nonzero; t >>= 32; 328 t += (uint64_t)(r->d[5] ^ mask) + (SECP256K1_N_5 & mask); 329 r->d[5] = t & nonzero; t >>= 32; 330 t += (uint64_t)(r->d[6] ^ mask) + (SECP256K1_N_6 & mask); 331 r->d[6] = t & nonzero; t >>= 32; 332 t += (uint64_t)(r->d[7] ^ mask) + (SECP256K1_N_7 & mask); 333 r->d[7] = t & nonzero; 334 335 SECP256K1_SCALAR_VERIFY(r); 336 return 2 * (mask == 0) - 1; 337 } 338 339 340 /* Inspired by the macros in OpenSSL's crypto/bn/asm/x86_64-gcc.c. */ 341 342 /** Add a*b to the number defined by (c0,c1,c2). c2 must never overflow. */ 343 #define muladd(a,b) { \ 344 uint32_t tl, th; \ 345 { \ 346 uint64_t t = (uint64_t)a * b; \ 347 th = t >> 32; /* at most 0xFFFFFFFE */ \ 348 tl = t; \ 349 } \ 350 c0 += tl; /* overflow is handled on the next line */ \ 351 th += (c0 < tl); /* at most 0xFFFFFFFF */ \ 352 c1 += th; /* overflow is handled on the next line */ \ 353 c2 += (c1 < th); /* never overflows by contract (verified in the next line) */ \ 354 VERIFY_CHECK((c1 >= th) || (c2 != 0)); \ 355 } 356 357 /** Add a*b to the number defined by (c0,c1). c1 must never overflow. */ 358 #define muladd_fast(a,b) { \ 359 uint32_t tl, th; \ 360 { \ 361 uint64_t t = (uint64_t)a * b; \ 362 th = t >> 32; /* at most 0xFFFFFFFE */ \ 363 tl = t; \ 364 } \ 365 c0 += tl; /* overflow is handled on the next line */ \ 366 th += (c0 < tl); /* at most 0xFFFFFFFF */ \ 367 c1 += th; /* never overflows by contract (verified in the next line) */ \ 368 VERIFY_CHECK(c1 >= th); \ 369 } 370 371 /** Add a to the number defined by (c0,c1,c2). c2 must never overflow. */ 372 #define sumadd(a) { \ 373 unsigned int over; \ 374 c0 += (a); /* overflow is handled on the next line */ \ 375 over = (c0 < (a)); \ 376 c1 += over; /* overflow is handled on the next line */ \ 377 c2 += (c1 < over); /* never overflows by contract */ \ 378 } 379 380 /** Add a to the number defined by (c0,c1). c1 must never overflow, c2 must be zero. */ 381 #define sumadd_fast(a) { \ 382 c0 += (a); /* overflow is handled on the next line */ \ 383 c1 += (c0 < (a)); /* never overflows by contract (verified the next line) */ \ 384 VERIFY_CHECK((c1 != 0) | (c0 >= (a))); \ 385 VERIFY_CHECK(c2 == 0); \ 386 } 387 388 /** Extract the lowest 32 bits of (c0,c1,c2) into n, and left shift the number 32 bits. */ 389 #define extract(n) { \ 390 (n) = c0; \ 391 c0 = c1; \ 392 c1 = c2; \ 393 c2 = 0; \ 394 } 395 396 /** Extract the lowest 32 bits of (c0,c1,c2) into n, and left shift the number 32 bits. c2 is required to be zero. */ 397 #define extract_fast(n) { \ 398 (n) = c0; \ 399 c0 = c1; \ 400 c1 = 0; \ 401 VERIFY_CHECK(c2 == 0); \ 402 } 403 404 static void secp256k1_scalar_reduce_512(secp256k1_scalar *r, const uint32_t *l) { 405 uint64_t c; 406 uint32_t n0 = l[8], n1 = l[9], n2 = l[10], n3 = l[11], n4 = l[12], n5 = l[13], n6 = l[14], n7 = l[15]; 407 uint32_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9, m10, m11, m12; 408 uint32_t p0, p1, p2, p3, p4, p5, p6, p7, p8; 409 410 /* 96 bit accumulator. */ 411 uint32_t c0, c1, c2; 412 413 /* Reduce 512 bits into 385. */ 414 /* m[0..12] = l[0..7] + n[0..7] * SECP256K1_N_C. */ 415 c0 = l[0]; c1 = 0; c2 = 0; 416 muladd_fast(n0, SECP256K1_N_C_0); 417 extract_fast(m0); 418 sumadd_fast(l[1]); 419 muladd(n1, SECP256K1_N_C_0); 420 muladd(n0, SECP256K1_N_C_1); 421 extract(m1); 422 sumadd(l[2]); 423 muladd(n2, SECP256K1_N_C_0); 424 muladd(n1, SECP256K1_N_C_1); 425 muladd(n0, SECP256K1_N_C_2); 426 extract(m2); 427 sumadd(l[3]); 428 muladd(n3, SECP256K1_N_C_0); 429 muladd(n2, SECP256K1_N_C_1); 430 muladd(n1, SECP256K1_N_C_2); 431 muladd(n0, SECP256K1_N_C_3); 432 extract(m3); 433 sumadd(l[4]); 434 muladd(n4, SECP256K1_N_C_0); 435 muladd(n3, SECP256K1_N_C_1); 436 muladd(n2, SECP256K1_N_C_2); 437 muladd(n1, SECP256K1_N_C_3); 438 sumadd(n0); 439 extract(m4); 440 sumadd(l[5]); 441 muladd(n5, SECP256K1_N_C_0); 442 muladd(n4, SECP256K1_N_C_1); 443 muladd(n3, SECP256K1_N_C_2); 444 muladd(n2, SECP256K1_N_C_3); 445 sumadd(n1); 446 extract(m5); 447 sumadd(l[6]); 448 muladd(n6, SECP256K1_N_C_0); 449 muladd(n5, SECP256K1_N_C_1); 450 muladd(n4, SECP256K1_N_C_2); 451 muladd(n3, SECP256K1_N_C_3); 452 sumadd(n2); 453 extract(m6); 454 sumadd(l[7]); 455 muladd(n7, SECP256K1_N_C_0); 456 muladd(n6, SECP256K1_N_C_1); 457 muladd(n5, SECP256K1_N_C_2); 458 muladd(n4, SECP256K1_N_C_3); 459 sumadd(n3); 460 extract(m7); 461 muladd(n7, SECP256K1_N_C_1); 462 muladd(n6, SECP256K1_N_C_2); 463 muladd(n5, SECP256K1_N_C_3); 464 sumadd(n4); 465 extract(m8); 466 muladd(n7, SECP256K1_N_C_2); 467 muladd(n6, SECP256K1_N_C_3); 468 sumadd(n5); 469 extract(m9); 470 muladd(n7, SECP256K1_N_C_3); 471 sumadd(n6); 472 extract(m10); 473 sumadd_fast(n7); 474 extract_fast(m11); 475 VERIFY_CHECK(c0 <= 1); 476 m12 = c0; 477 478 /* Reduce 385 bits into 258. */ 479 /* p[0..8] = m[0..7] + m[8..12] * SECP256K1_N_C. */ 480 c0 = m0; c1 = 0; c2 = 0; 481 muladd_fast(m8, SECP256K1_N_C_0); 482 extract_fast(p0); 483 sumadd_fast(m1); 484 muladd(m9, SECP256K1_N_C_0); 485 muladd(m8, SECP256K1_N_C_1); 486 extract(p1); 487 sumadd(m2); 488 muladd(m10, SECP256K1_N_C_0); 489 muladd(m9, SECP256K1_N_C_1); 490 muladd(m8, SECP256K1_N_C_2); 491 extract(p2); 492 sumadd(m3); 493 muladd(m11, SECP256K1_N_C_0); 494 muladd(m10, SECP256K1_N_C_1); 495 muladd(m9, SECP256K1_N_C_2); 496 muladd(m8, SECP256K1_N_C_3); 497 extract(p3); 498 sumadd(m4); 499 muladd(m12, SECP256K1_N_C_0); 500 muladd(m11, SECP256K1_N_C_1); 501 muladd(m10, SECP256K1_N_C_2); 502 muladd(m9, SECP256K1_N_C_3); 503 sumadd(m8); 504 extract(p4); 505 sumadd(m5); 506 muladd(m12, SECP256K1_N_C_1); 507 muladd(m11, SECP256K1_N_C_2); 508 muladd(m10, SECP256K1_N_C_3); 509 sumadd(m9); 510 extract(p5); 511 sumadd(m6); 512 muladd(m12, SECP256K1_N_C_2); 513 muladd(m11, SECP256K1_N_C_3); 514 sumadd(m10); 515 extract(p6); 516 sumadd_fast(m7); 517 muladd_fast(m12, SECP256K1_N_C_3); 518 sumadd_fast(m11); 519 extract_fast(p7); 520 p8 = c0 + m12; 521 VERIFY_CHECK(p8 <= 2); 522 523 /* Reduce 258 bits into 256. */ 524 /* r[0..7] = p[0..7] + p[8] * SECP256K1_N_C. */ 525 c = p0 + (uint64_t)SECP256K1_N_C_0 * p8; 526 r->d[0] = c & 0xFFFFFFFFUL; c >>= 32; 527 c += p1 + (uint64_t)SECP256K1_N_C_1 * p8; 528 r->d[1] = c & 0xFFFFFFFFUL; c >>= 32; 529 c += p2 + (uint64_t)SECP256K1_N_C_2 * p8; 530 r->d[2] = c & 0xFFFFFFFFUL; c >>= 32; 531 c += p3 + (uint64_t)SECP256K1_N_C_3 * p8; 532 r->d[3] = c & 0xFFFFFFFFUL; c >>= 32; 533 c += p4 + (uint64_t)p8; 534 r->d[4] = c & 0xFFFFFFFFUL; c >>= 32; 535 c += p5; 536 r->d[5] = c & 0xFFFFFFFFUL; c >>= 32; 537 c += p6; 538 r->d[6] = c & 0xFFFFFFFFUL; c >>= 32; 539 c += p7; 540 r->d[7] = c & 0xFFFFFFFFUL; c >>= 32; 541 542 /* Final reduction of r. */ 543 secp256k1_scalar_reduce(r, c + secp256k1_scalar_check_overflow(r)); 544 } 545 546 static void secp256k1_scalar_mul_512(uint32_t *l, const secp256k1_scalar *a, const secp256k1_scalar *b) { 547 /* 96 bit accumulator. */ 548 uint32_t c0 = 0, c1 = 0, c2 = 0; 549 550 /* l[0..15] = a[0..7] * b[0..7]. */ 551 muladd_fast(a->d[0], b->d[0]); 552 extract_fast(l[0]); 553 muladd(a->d[0], b->d[1]); 554 muladd(a->d[1], b->d[0]); 555 extract(l[1]); 556 muladd(a->d[0], b->d[2]); 557 muladd(a->d[1], b->d[1]); 558 muladd(a->d[2], b->d[0]); 559 extract(l[2]); 560 muladd(a->d[0], b->d[3]); 561 muladd(a->d[1], b->d[2]); 562 muladd(a->d[2], b->d[1]); 563 muladd(a->d[3], b->d[0]); 564 extract(l[3]); 565 muladd(a->d[0], b->d[4]); 566 muladd(a->d[1], b->d[3]); 567 muladd(a->d[2], b->d[2]); 568 muladd(a->d[3], b->d[1]); 569 muladd(a->d[4], b->d[0]); 570 extract(l[4]); 571 muladd(a->d[0], b->d[5]); 572 muladd(a->d[1], b->d[4]); 573 muladd(a->d[2], b->d[3]); 574 muladd(a->d[3], b->d[2]); 575 muladd(a->d[4], b->d[1]); 576 muladd(a->d[5], b->d[0]); 577 extract(l[5]); 578 muladd(a->d[0], b->d[6]); 579 muladd(a->d[1], b->d[5]); 580 muladd(a->d[2], b->d[4]); 581 muladd(a->d[3], b->d[3]); 582 muladd(a->d[4], b->d[2]); 583 muladd(a->d[5], b->d[1]); 584 muladd(a->d[6], b->d[0]); 585 extract(l[6]); 586 muladd(a->d[0], b->d[7]); 587 muladd(a->d[1], b->d[6]); 588 muladd(a->d[2], b->d[5]); 589 muladd(a->d[3], b->d[4]); 590 muladd(a->d[4], b->d[3]); 591 muladd(a->d[5], b->d[2]); 592 muladd(a->d[6], b->d[1]); 593 muladd(a->d[7], b->d[0]); 594 extract(l[7]); 595 muladd(a->d[1], b->d[7]); 596 muladd(a->d[2], b->d[6]); 597 muladd(a->d[3], b->d[5]); 598 muladd(a->d[4], b->d[4]); 599 muladd(a->d[5], b->d[3]); 600 muladd(a->d[6], b->d[2]); 601 muladd(a->d[7], b->d[1]); 602 extract(l[8]); 603 muladd(a->d[2], b->d[7]); 604 muladd(a->d[3], b->d[6]); 605 muladd(a->d[4], b->d[5]); 606 muladd(a->d[5], b->d[4]); 607 muladd(a->d[6], b->d[3]); 608 muladd(a->d[7], b->d[2]); 609 extract(l[9]); 610 muladd(a->d[3], b->d[7]); 611 muladd(a->d[4], b->d[6]); 612 muladd(a->d[5], b->d[5]); 613 muladd(a->d[6], b->d[4]); 614 muladd(a->d[7], b->d[3]); 615 extract(l[10]); 616 muladd(a->d[4], b->d[7]); 617 muladd(a->d[5], b->d[6]); 618 muladd(a->d[6], b->d[5]); 619 muladd(a->d[7], b->d[4]); 620 extract(l[11]); 621 muladd(a->d[5], b->d[7]); 622 muladd(a->d[6], b->d[6]); 623 muladd(a->d[7], b->d[5]); 624 extract(l[12]); 625 muladd(a->d[6], b->d[7]); 626 muladd(a->d[7], b->d[6]); 627 extract(l[13]); 628 muladd_fast(a->d[7], b->d[7]); 629 extract_fast(l[14]); 630 VERIFY_CHECK(c1 == 0); 631 l[15] = c0; 632 } 633 634 #undef sumadd 635 #undef sumadd_fast 636 #undef muladd 637 #undef muladd_fast 638 #undef extract 639 #undef extract_fast 640 641 static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b) { 642 uint32_t l[16]; 643 SECP256K1_SCALAR_VERIFY(a); 644 SECP256K1_SCALAR_VERIFY(b); 645 646 secp256k1_scalar_mul_512(l, a, b); 647 secp256k1_scalar_reduce_512(r, l); 648 649 SECP256K1_SCALAR_VERIFY(r); 650 } 651 652 static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) { 653 SECP256K1_SCALAR_VERIFY(k); 654 655 r1->d[0] = k->d[0]; 656 r1->d[1] = k->d[1]; 657 r1->d[2] = k->d[2]; 658 r1->d[3] = k->d[3]; 659 r1->d[4] = 0; 660 r1->d[5] = 0; 661 r1->d[6] = 0; 662 r1->d[7] = 0; 663 r2->d[0] = k->d[4]; 664 r2->d[1] = k->d[5]; 665 r2->d[2] = k->d[6]; 666 r2->d[3] = k->d[7]; 667 r2->d[4] = 0; 668 r2->d[5] = 0; 669 r2->d[6] = 0; 670 r2->d[7] = 0; 671 672 SECP256K1_SCALAR_VERIFY(r1); 673 SECP256K1_SCALAR_VERIFY(r2); 674 } 675 676 SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b) { 677 SECP256K1_SCALAR_VERIFY(a); 678 SECP256K1_SCALAR_VERIFY(b); 679 680 return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3]) | (a->d[4] ^ b->d[4]) | (a->d[5] ^ b->d[5]) | (a->d[6] ^ b->d[6]) | (a->d[7] ^ b->d[7])) == 0; 681 } 682 683 SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift) { 684 uint32_t l[16]; 685 unsigned int shiftlimbs; 686 unsigned int shiftlow; 687 unsigned int shifthigh; 688 SECP256K1_SCALAR_VERIFY(a); 689 SECP256K1_SCALAR_VERIFY(b); 690 VERIFY_CHECK(shift >= 256); 691 692 secp256k1_scalar_mul_512(l, a, b); 693 shiftlimbs = shift >> 5; 694 shiftlow = shift & 0x1F; 695 shifthigh = 32 - shiftlow; 696 r->d[0] = shift < 512 ? (l[0 + shiftlimbs] >> shiftlow | (shift < 480 && shiftlow ? (l[1 + shiftlimbs] << shifthigh) : 0)) : 0; 697 r->d[1] = shift < 480 ? (l[1 + shiftlimbs] >> shiftlow | (shift < 448 && shiftlow ? (l[2 + shiftlimbs] << shifthigh) : 0)) : 0; 698 r->d[2] = shift < 448 ? (l[2 + shiftlimbs] >> shiftlow | (shift < 416 && shiftlow ? (l[3 + shiftlimbs] << shifthigh) : 0)) : 0; 699 r->d[3] = shift < 416 ? (l[3 + shiftlimbs] >> shiftlow | (shift < 384 && shiftlow ? (l[4 + shiftlimbs] << shifthigh) : 0)) : 0; 700 r->d[4] = shift < 384 ? (l[4 + shiftlimbs] >> shiftlow | (shift < 352 && shiftlow ? (l[5 + shiftlimbs] << shifthigh) : 0)) : 0; 701 r->d[5] = shift < 352 ? (l[5 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[6 + shiftlimbs] << shifthigh) : 0)) : 0; 702 r->d[6] = shift < 320 ? (l[6 + shiftlimbs] >> shiftlow | (shift < 288 && shiftlow ? (l[7 + shiftlimbs] << shifthigh) : 0)) : 0; 703 r->d[7] = shift < 288 ? (l[7 + shiftlimbs] >> shiftlow) : 0; 704 secp256k1_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 5] >> ((shift - 1) & 0x1f)) & 1); 705 706 SECP256K1_SCALAR_VERIFY(r); 707 } 708 709 static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) { 710 uint32_t mask0, mask1; 711 volatile int vflag = flag; 712 SECP256K1_SCALAR_VERIFY(a); 713 SECP256K1_CHECKMEM_CHECK_VERIFY(r->d, sizeof(r->d)); 714 715 mask0 = vflag + ~((uint32_t)0); 716 mask1 = ~mask0; 717 r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1); 718 r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1); 719 r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1); 720 r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1); 721 r->d[4] = (r->d[4] & mask0) | (a->d[4] & mask1); 722 r->d[5] = (r->d[5] & mask0) | (a->d[5] & mask1); 723 r->d[6] = (r->d[6] & mask0) | (a->d[6] & mask1); 724 r->d[7] = (r->d[7] & mask0) | (a->d[7] & mask1); 725 726 SECP256K1_SCALAR_VERIFY(r); 727 } 728 729 static void secp256k1_scalar_from_signed30(secp256k1_scalar *r, const secp256k1_modinv32_signed30 *a) { 730 const uint32_t a0 = a->v[0], a1 = a->v[1], a2 = a->v[2], a3 = a->v[3], a4 = a->v[4], 731 a5 = a->v[5], a6 = a->v[6], a7 = a->v[7], a8 = a->v[8]; 732 733 /* The output from secp256k1_modinv32{_var} should be normalized to range [0,modulus), and 734 * have limbs in [0,2^30). The modulus is < 2^256, so the top limb must be below 2^(256-30*8). 735 */ 736 VERIFY_CHECK(a0 >> 30 == 0); 737 VERIFY_CHECK(a1 >> 30 == 0); 738 VERIFY_CHECK(a2 >> 30 == 0); 739 VERIFY_CHECK(a3 >> 30 == 0); 740 VERIFY_CHECK(a4 >> 30 == 0); 741 VERIFY_CHECK(a5 >> 30 == 0); 742 VERIFY_CHECK(a6 >> 30 == 0); 743 VERIFY_CHECK(a7 >> 30 == 0); 744 VERIFY_CHECK(a8 >> 16 == 0); 745 746 r->d[0] = a0 | a1 << 30; 747 r->d[1] = a1 >> 2 | a2 << 28; 748 r->d[2] = a2 >> 4 | a3 << 26; 749 r->d[3] = a3 >> 6 | a4 << 24; 750 r->d[4] = a4 >> 8 | a5 << 22; 751 r->d[5] = a5 >> 10 | a6 << 20; 752 r->d[6] = a6 >> 12 | a7 << 18; 753 r->d[7] = a7 >> 14 | a8 << 16; 754 755 SECP256K1_SCALAR_VERIFY(r); 756 } 757 758 static void secp256k1_scalar_to_signed30(secp256k1_modinv32_signed30 *r, const secp256k1_scalar *a) { 759 const uint32_t M30 = UINT32_MAX >> 2; 760 const uint32_t a0 = a->d[0], a1 = a->d[1], a2 = a->d[2], a3 = a->d[3], 761 a4 = a->d[4], a5 = a->d[5], a6 = a->d[6], a7 = a->d[7]; 762 SECP256K1_SCALAR_VERIFY(a); 763 764 r->v[0] = a0 & M30; 765 r->v[1] = (a0 >> 30 | a1 << 2) & M30; 766 r->v[2] = (a1 >> 28 | a2 << 4) & M30; 767 r->v[3] = (a2 >> 26 | a3 << 6) & M30; 768 r->v[4] = (a3 >> 24 | a4 << 8) & M30; 769 r->v[5] = (a4 >> 22 | a5 << 10) & M30; 770 r->v[6] = (a5 >> 20 | a6 << 12) & M30; 771 r->v[7] = (a6 >> 18 | a7 << 14) & M30; 772 r->v[8] = a7 >> 16; 773 } 774 775 static const secp256k1_modinv32_modinfo secp256k1_const_modinfo_scalar = { 776 {{0x10364141L, 0x3F497A33L, 0x348A03BBL, 0x2BB739ABL, -0x146L, 0, 0, 0, 65536}}, 777 0x2A774EC1L 778 }; 779 780 static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *x) { 781 secp256k1_modinv32_signed30 s; 782 #ifdef VERIFY 783 int zero_in = secp256k1_scalar_is_zero(x); 784 #endif 785 SECP256K1_SCALAR_VERIFY(x); 786 787 secp256k1_scalar_to_signed30(&s, x); 788 secp256k1_modinv32(&s, &secp256k1_const_modinfo_scalar); 789 secp256k1_scalar_from_signed30(r, &s); 790 791 SECP256K1_SCALAR_VERIFY(r); 792 VERIFY_CHECK(secp256k1_scalar_is_zero(r) == zero_in); 793 } 794 795 static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *x) { 796 secp256k1_modinv32_signed30 s; 797 #ifdef VERIFY 798 int zero_in = secp256k1_scalar_is_zero(x); 799 #endif 800 SECP256K1_SCALAR_VERIFY(x); 801 802 secp256k1_scalar_to_signed30(&s, x); 803 secp256k1_modinv32_var(&s, &secp256k1_const_modinfo_scalar); 804 secp256k1_scalar_from_signed30(r, &s); 805 806 SECP256K1_SCALAR_VERIFY(r); 807 VERIFY_CHECK(secp256k1_scalar_is_zero(r) == zero_in); 808 } 809 810 SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a) { 811 SECP256K1_SCALAR_VERIFY(a); 812 813 return !(a->d[0] & 1); 814 } 815 816 #endif /* SECP256K1_SCALAR_REPR_IMPL_H */