github.com/ethereumproject/go-ethereum@v5.5.2+incompatible/crypto/secp256k1/libsecp256k1/src/field_5x52_impl.h (about) 1 /********************************************************************** 2 * Copyright (c) 2013, 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #ifndef _SECP256K1_FIELD_REPR_IMPL_H_ 8 #define _SECP256K1_FIELD_REPR_IMPL_H_ 9 10 #if defined HAVE_CONFIG_H 11 #include "libsecp256k1-config.h" 12 #endif 13 14 #include <string.h> 15 #include "util.h" 16 #include "num.h" 17 #include "field.h" 18 19 #if defined(USE_ASM_X86_64) 20 #include "field_5x52_asm_impl.h" 21 #else 22 #include "field_5x52_int128_impl.h" 23 #endif 24 25 /** Implements arithmetic modulo FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F, 26 * represented as 5 uint64_t's in base 2^52. The values are allowed to contain >52 each. In particular, 27 * each FieldElem has a 'magnitude' associated with it. Internally, a magnitude M means each element 28 * is at most M*(2^53-1), except the most significant one, which is limited to M*(2^49-1). All operations 29 * accept any input with magnitude at most M, and have different rules for propagating magnitude to their 30 * output. 31 */ 32 33 #ifdef VERIFY 34 static void secp256k1_fe_verify(const secp256k1_fe *a) { 35 const uint64_t *d = a->n; 36 int m = a->normalized ? 1 : 2 * a->magnitude, r = 1; 37 /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ 38 r &= (d[0] <= 0xFFFFFFFFFFFFFULL * m); 39 r &= (d[1] <= 0xFFFFFFFFFFFFFULL * m); 40 r &= (d[2] <= 0xFFFFFFFFFFFFFULL * m); 41 r &= (d[3] <= 0xFFFFFFFFFFFFFULL * m); 42 r &= (d[4] <= 0x0FFFFFFFFFFFFULL * m); 43 r &= (a->magnitude >= 0); 44 r &= (a->magnitude <= 2048); 45 if (a->normalized) { 46 r &= (a->magnitude <= 1); 47 if (r && (d[4] == 0x0FFFFFFFFFFFFULL) && ((d[3] & d[2] & d[1]) == 0xFFFFFFFFFFFFFULL)) { 48 r &= (d[0] < 0xFFFFEFFFFFC2FULL); 49 } 50 } 51 VERIFY_CHECK(r == 1); 52 } 53 #else 54 static void secp256k1_fe_verify(const secp256k1_fe *a) { 55 (void)a; 56 } 57 #endif 58 59 static void secp256k1_fe_normalize(secp256k1_fe *r) { 60 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 61 62 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 63 uint64_t m; 64 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 65 66 /* The first pass ensures the magnitude is 1, ... */ 67 t0 += x * 0x1000003D1ULL; 68 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 69 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1; 70 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2; 71 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3; 72 73 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 74 VERIFY_CHECK(t4 >> 49 == 0); 75 76 /* At most a single final reduction is needed; check if the value is >= the field characteristic */ 77 x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL) 78 & (t0 >= 0xFFFFEFFFFFC2FULL)); 79 80 /* Apply the final reduction (for constant-time behaviour, we do it always) */ 81 t0 += x * 0x1000003D1ULL; 82 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 83 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 84 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 85 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 86 87 /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */ 88 VERIFY_CHECK(t4 >> 48 == x); 89 90 /* Mask off the possible multiple of 2^256 from the final reduction */ 91 t4 &= 0x0FFFFFFFFFFFFULL; 92 93 r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 94 95 #ifdef VERIFY 96 r->magnitude = 1; 97 r->normalized = 1; 98 secp256k1_fe_verify(r); 99 #endif 100 } 101 102 static void secp256k1_fe_normalize_weak(secp256k1_fe *r) { 103 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 104 105 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 106 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 107 108 /* The first pass ensures the magnitude is 1, ... */ 109 t0 += x * 0x1000003D1ULL; 110 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 111 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 112 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 113 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 114 115 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 116 VERIFY_CHECK(t4 >> 49 == 0); 117 118 r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 119 120 #ifdef VERIFY 121 r->magnitude = 1; 122 secp256k1_fe_verify(r); 123 #endif 124 } 125 126 static void secp256k1_fe_normalize_var(secp256k1_fe *r) { 127 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 128 129 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 130 uint64_t m; 131 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 132 133 /* The first pass ensures the magnitude is 1, ... */ 134 t0 += x * 0x1000003D1ULL; 135 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 136 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1; 137 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2; 138 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3; 139 140 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 141 VERIFY_CHECK(t4 >> 49 == 0); 142 143 /* At most a single final reduction is needed; check if the value is >= the field characteristic */ 144 x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL) 145 & (t0 >= 0xFFFFEFFFFFC2FULL)); 146 147 if (x) { 148 t0 += 0x1000003D1ULL; 149 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; 150 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; 151 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; 152 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; 153 154 /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */ 155 VERIFY_CHECK(t4 >> 48 == x); 156 157 /* Mask off the possible multiple of 2^256 from the final reduction */ 158 t4 &= 0x0FFFFFFFFFFFFULL; 159 } 160 161 r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4; 162 163 #ifdef VERIFY 164 r->magnitude = 1; 165 r->normalized = 1; 166 secp256k1_fe_verify(r); 167 #endif 168 } 169 170 static int secp256k1_fe_normalizes_to_zero(secp256k1_fe *r) { 171 uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; 172 173 /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ 174 uint64_t z0, z1; 175 176 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 177 uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; 178 179 /* The first pass ensures the magnitude is 1, ... */ 180 t0 += x * 0x1000003D1ULL; 181 t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL; 182 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1; 183 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2; 184 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3; 185 z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL; 186 187 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 188 VERIFY_CHECK(t4 >> 49 == 0); 189 190 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); 191 } 192 193 static int secp256k1_fe_normalizes_to_zero_var(secp256k1_fe *r) { 194 uint64_t t0, t1, t2, t3, t4; 195 uint64_t z0, z1; 196 uint64_t x; 197 198 t0 = r->n[0]; 199 t4 = r->n[4]; 200 201 /* Reduce t4 at the start so there will be at most a single carry from the first pass */ 202 x = t4 >> 48; 203 204 /* The first pass ensures the magnitude is 1, ... */ 205 t0 += x * 0x1000003D1ULL; 206 207 /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ 208 z0 = t0 & 0xFFFFFFFFFFFFFULL; 209 z1 = z0 ^ 0x1000003D0ULL; 210 211 /* Fast return path should catch the majority of cases */ 212 if ((z0 != 0ULL) & (z1 != 0xFFFFFFFFFFFFFULL)) { 213 return 0; 214 } 215 216 t1 = r->n[1]; 217 t2 = r->n[2]; 218 t3 = r->n[3]; 219 220 t4 &= 0x0FFFFFFFFFFFFULL; 221 222 t1 += (t0 >> 52); 223 t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1; 224 t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2; 225 t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3; 226 z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL; 227 228 /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */ 229 VERIFY_CHECK(t4 >> 49 == 0); 230 231 return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); 232 } 233 234 SECP256K1_INLINE static void secp256k1_fe_set_int(secp256k1_fe *r, int a) { 235 r->n[0] = a; 236 r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0; 237 #ifdef VERIFY 238 r->magnitude = 1; 239 r->normalized = 1; 240 secp256k1_fe_verify(r); 241 #endif 242 } 243 244 SECP256K1_INLINE static int secp256k1_fe_is_zero(const secp256k1_fe *a) { 245 const uint64_t *t = a->n; 246 #ifdef VERIFY 247 VERIFY_CHECK(a->normalized); 248 secp256k1_fe_verify(a); 249 #endif 250 return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0; 251 } 252 253 SECP256K1_INLINE static int secp256k1_fe_is_odd(const secp256k1_fe *a) { 254 #ifdef VERIFY 255 VERIFY_CHECK(a->normalized); 256 secp256k1_fe_verify(a); 257 #endif 258 return a->n[0] & 1; 259 } 260 261 SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe *a) { 262 int i; 263 #ifdef VERIFY 264 a->magnitude = 0; 265 a->normalized = 1; 266 #endif 267 for (i=0; i<5; i++) { 268 a->n[i] = 0; 269 } 270 } 271 272 static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) { 273 int i; 274 #ifdef VERIFY 275 VERIFY_CHECK(a->normalized); 276 VERIFY_CHECK(b->normalized); 277 secp256k1_fe_verify(a); 278 secp256k1_fe_verify(b); 279 #endif 280 for (i = 4; i >= 0; i--) { 281 if (a->n[i] > b->n[i]) { 282 return 1; 283 } 284 if (a->n[i] < b->n[i]) { 285 return -1; 286 } 287 } 288 return 0; 289 } 290 291 static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) { 292 int i; 293 r->n[0] = r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0; 294 for (i=0; i<32; i++) { 295 int j; 296 for (j=0; j<2; j++) { 297 int limb = (8*i+4*j)/52; 298 int shift = (8*i+4*j)%52; 299 r->n[limb] |= (uint64_t)((a[31-i] >> (4*j)) & 0xF) << shift; 300 } 301 } 302 if (r->n[4] == 0x0FFFFFFFFFFFFULL && (r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL && r->n[0] >= 0xFFFFEFFFFFC2FULL) { 303 return 0; 304 } 305 #ifdef VERIFY 306 r->magnitude = 1; 307 r->normalized = 1; 308 secp256k1_fe_verify(r); 309 #endif 310 return 1; 311 } 312 313 /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ 314 static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a) { 315 int i; 316 #ifdef VERIFY 317 VERIFY_CHECK(a->normalized); 318 secp256k1_fe_verify(a); 319 #endif 320 for (i=0; i<32; i++) { 321 int j; 322 int c = 0; 323 for (j=0; j<2; j++) { 324 int limb = (8*i+4*j)/52; 325 int shift = (8*i+4*j)%52; 326 c |= ((a->n[limb] >> shift) & 0xF) << (4 * j); 327 } 328 r[31-i] = c; 329 } 330 } 331 332 SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m) { 333 #ifdef VERIFY 334 VERIFY_CHECK(a->magnitude <= m); 335 secp256k1_fe_verify(a); 336 #endif 337 r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0]; 338 r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1]; 339 r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[2]; 340 r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[3]; 341 r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) - a->n[4]; 342 #ifdef VERIFY 343 r->magnitude = m + 1; 344 r->normalized = 0; 345 secp256k1_fe_verify(r); 346 #endif 347 } 348 349 SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) { 350 r->n[0] *= a; 351 r->n[1] *= a; 352 r->n[2] *= a; 353 r->n[3] *= a; 354 r->n[4] *= a; 355 #ifdef VERIFY 356 r->magnitude *= a; 357 r->normalized = 0; 358 secp256k1_fe_verify(r); 359 #endif 360 } 361 362 SECP256K1_INLINE static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a) { 363 #ifdef VERIFY 364 secp256k1_fe_verify(a); 365 #endif 366 r->n[0] += a->n[0]; 367 r->n[1] += a->n[1]; 368 r->n[2] += a->n[2]; 369 r->n[3] += a->n[3]; 370 r->n[4] += a->n[4]; 371 #ifdef VERIFY 372 r->magnitude += a->magnitude; 373 r->normalized = 0; 374 secp256k1_fe_verify(r); 375 #endif 376 } 377 378 static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe * SECP256K1_RESTRICT b) { 379 #ifdef VERIFY 380 VERIFY_CHECK(a->magnitude <= 8); 381 VERIFY_CHECK(b->magnitude <= 8); 382 secp256k1_fe_verify(a); 383 secp256k1_fe_verify(b); 384 VERIFY_CHECK(r != b); 385 #endif 386 secp256k1_fe_mul_inner(r->n, a->n, b->n); 387 #ifdef VERIFY 388 r->magnitude = 1; 389 r->normalized = 0; 390 secp256k1_fe_verify(r); 391 #endif 392 } 393 394 static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) { 395 #ifdef VERIFY 396 VERIFY_CHECK(a->magnitude <= 8); 397 secp256k1_fe_verify(a); 398 #endif 399 secp256k1_fe_sqr_inner(r->n, a->n); 400 #ifdef VERIFY 401 r->magnitude = 1; 402 r->normalized = 0; 403 secp256k1_fe_verify(r); 404 #endif 405 } 406 407 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) { 408 uint64_t mask0, mask1; 409 mask0 = flag + ~((uint64_t)0); 410 mask1 = ~mask0; 411 r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); 412 r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1); 413 r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1); 414 r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); 415 r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1); 416 #ifdef VERIFY 417 if (a->magnitude > r->magnitude) { 418 r->magnitude = a->magnitude; 419 } 420 r->normalized &= a->normalized; 421 #endif 422 } 423 424 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) { 425 uint64_t mask0, mask1; 426 mask0 = flag + ~((uint64_t)0); 427 mask1 = ~mask0; 428 r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); 429 r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1); 430 r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1); 431 r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); 432 } 433 434 static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) { 435 #ifdef VERIFY 436 VERIFY_CHECK(a->normalized); 437 #endif 438 r->n[0] = a->n[0] | a->n[1] << 52; 439 r->n[1] = a->n[1] >> 12 | a->n[2] << 40; 440 r->n[2] = a->n[2] >> 24 | a->n[3] << 28; 441 r->n[3] = a->n[3] >> 36 | a->n[4] << 16; 442 } 443 444 static SECP256K1_INLINE void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a) { 445 r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL; 446 r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL); 447 r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL); 448 r->n[3] = a->n[2] >> 28 | ((a->n[3] << 36) & 0xFFFFFFFFFFFFFULL); 449 r->n[4] = a->n[3] >> 16; 450 #ifdef VERIFY 451 r->magnitude = 1; 452 r->normalized = 1; 453 #endif 454 } 455 456 #endif