github.com/luckypickle/go-ethereum-vet@v1.14.2/crypto/secp256k1/libsecp256k1/src/field_5x52_impl.h (about)

     1  /**********************************************************************
     2   * Copyright (c) 2013, 2014 Pieter Wuille                             *
     3   * Distributed under the MIT software license, see the accompanying   *
     4   * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
     5   **********************************************************************/
     6  
     7  #ifndef _SECP256K1_FIELD_REPR_IMPL_H_
     8  #define _SECP256K1_FIELD_REPR_IMPL_H_
     9  
    10  #if defined HAVE_CONFIG_H
    11  #include "libsecp256k1-config.h"
    12  #endif
    13  
    14  #include "util.h"
    15  #include "num.h"
    16  #include "field.h"
    17  
    18  #if defined(USE_ASM_X86_64)
    19  #include "field_5x52_asm_impl.h"
    20  #else
    21  #include "field_5x52_int128_impl.h"
    22  #endif
    23  
    24  /** Implements arithmetic modulo FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F,
    25   *  represented as 5 uint64_t's in base 2^52. The values are allowed to contain >52 each. In particular,
    26   *  each FieldElem has a 'magnitude' associated with it. Internally, a magnitude M means each element
    27   *  is at most M*(2^53-1), except the most significant one, which is limited to M*(2^49-1). All operations
    28   *  accept any input with magnitude at most M, and have different rules for propagating magnitude to their
    29   *  output.
    30   */
    31  
    32  #ifdef VERIFY
    33  static void vet_secp256k1_fe_verify(const vet_secp256k1_fe *a) {
    34      const uint64_t *d = a->n;
    35      int m = a->normalized ? 1 : 2 * a->magnitude, r = 1;
    36     /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */
    37      r &= (d[0] <= 0xFFFFFFFFFFFFFULL * m);
    38      r &= (d[1] <= 0xFFFFFFFFFFFFFULL * m);
    39      r &= (d[2] <= 0xFFFFFFFFFFFFFULL * m);
    40      r &= (d[3] <= 0xFFFFFFFFFFFFFULL * m);
    41      r &= (d[4] <= 0x0FFFFFFFFFFFFULL * m);
    42      r &= (a->magnitude >= 0);
    43      r &= (a->magnitude <= 2048);
    44      if (a->normalized) {
    45          r &= (a->magnitude <= 1);
    46          if (r && (d[4] == 0x0FFFFFFFFFFFFULL) && ((d[3] & d[2] & d[1]) == 0xFFFFFFFFFFFFFULL)) {
    47              r &= (d[0] < 0xFFFFEFFFFFC2FULL);
    48          }
    49      }
    50      VERIFY_CHECK(r == 1);
    51  }
    52  #endif
    53  
    54  static void vet_secp256k1_fe_normalize(vet_secp256k1_fe *r) {
    55      uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
    56  
    57      /* Reduce t4 at the start so there will be at most a single carry from the first pass */
    58      uint64_t m;
    59      uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
    60  
    61      /* The first pass ensures the magnitude is 1, ... */
    62      t0 += x * 0x1000003D1ULL;
    63      t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
    64      t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1;
    65      t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2;
    66      t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3;
    67  
    68      /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
    69      VERIFY_CHECK(t4 >> 49 == 0);
    70  
    71      /* At most a single final reduction is needed; check if the value is >= the field characteristic */
    72      x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
    73          & (t0 >= 0xFFFFEFFFFFC2FULL));
    74  
    75      /* Apply the final reduction (for constant-time behaviour, we do it always) */
    76      t0 += x * 0x1000003D1ULL;
    77      t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
    78      t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
    79      t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
    80      t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
    81  
    82      /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */
    83      VERIFY_CHECK(t4 >> 48 == x);
    84  
    85      /* Mask off the possible multiple of 2^256 from the final reduction */
    86      t4 &= 0x0FFFFFFFFFFFFULL;
    87  
    88      r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
    89  
    90  #ifdef VERIFY
    91      r->magnitude = 1;
    92      r->normalized = 1;
    93      vet_secp256k1_fe_verify(r);
    94  #endif
    95  }
    96  
    97  static void vet_secp256k1_fe_normalize_weak(vet_secp256k1_fe *r) {
    98      uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
    99  
   100      /* Reduce t4 at the start so there will be at most a single carry from the first pass */
   101      uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
   102  
   103      /* The first pass ensures the magnitude is 1, ... */
   104      t0 += x * 0x1000003D1ULL;
   105      t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
   106      t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
   107      t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
   108      t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
   109  
   110      /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
   111      VERIFY_CHECK(t4 >> 49 == 0);
   112  
   113      r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
   114  
   115  #ifdef VERIFY
   116      r->magnitude = 1;
   117      vet_secp256k1_fe_verify(r);
   118  #endif
   119  }
   120  
   121  static void vet_secp256k1_fe_normalize_var(vet_secp256k1_fe *r) {
   122      uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
   123  
   124      /* Reduce t4 at the start so there will be at most a single carry from the first pass */
   125      uint64_t m;
   126      uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
   127  
   128      /* The first pass ensures the magnitude is 1, ... */
   129      t0 += x * 0x1000003D1ULL;
   130      t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
   131      t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; m = t1;
   132      t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; m &= t2;
   133      t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; m &= t3;
   134  
   135      /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
   136      VERIFY_CHECK(t4 >> 49 == 0);
   137  
   138      /* At most a single final reduction is needed; check if the value is >= the field characteristic */
   139      x = (t4 >> 48) | ((t4 == 0x0FFFFFFFFFFFFULL) & (m == 0xFFFFFFFFFFFFFULL)
   140          & (t0 >= 0xFFFFEFFFFFC2FULL));
   141  
   142      if (x) {
   143          t0 += 0x1000003D1ULL;
   144          t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
   145          t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL;
   146          t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL;
   147          t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL;
   148  
   149          /* If t4 didn't carry to bit 48 already, then it should have after any final reduction */
   150          VERIFY_CHECK(t4 >> 48 == x);
   151  
   152          /* Mask off the possible multiple of 2^256 from the final reduction */
   153          t4 &= 0x0FFFFFFFFFFFFULL;
   154      }
   155  
   156      r->n[0] = t0; r->n[1] = t1; r->n[2] = t2; r->n[3] = t3; r->n[4] = t4;
   157  
   158  #ifdef VERIFY
   159      r->magnitude = 1;
   160      r->normalized = 1;
   161      vet_secp256k1_fe_verify(r);
   162  #endif
   163  }
   164  
   165  static int vet_secp256k1_fe_normalizes_to_zero(vet_secp256k1_fe *r) {
   166      uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4];
   167  
   168      /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
   169      uint64_t z0, z1;
   170  
   171      /* Reduce t4 at the start so there will be at most a single carry from the first pass */
   172      uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
   173  
   174      /* The first pass ensures the magnitude is 1, ... */
   175      t0 += x * 0x1000003D1ULL;
   176      t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0  = t0; z1  = t0 ^ 0x1000003D0ULL;
   177      t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1;
   178      t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2;
   179      t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3;
   180                                                  z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
   181  
   182      /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
   183      VERIFY_CHECK(t4 >> 49 == 0);
   184  
   185      return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
   186  }
   187  
   188  static int vet_secp256k1_fe_normalizes_to_zero_var(vet_secp256k1_fe *r) {
   189      uint64_t t0, t1, t2, t3, t4;
   190      uint64_t z0, z1;
   191      uint64_t x;
   192  
   193      t0 = r->n[0];
   194      t4 = r->n[4];
   195  
   196      /* Reduce t4 at the start so there will be at most a single carry from the first pass */
   197      x = t4 >> 48;
   198  
   199      /* The first pass ensures the magnitude is 1, ... */
   200      t0 += x * 0x1000003D1ULL;
   201  
   202      /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */
   203      z0 = t0 & 0xFFFFFFFFFFFFFULL;
   204      z1 = z0 ^ 0x1000003D0ULL;
   205  
   206      /* Fast return path should catch the majority of cases */
   207      if ((z0 != 0ULL) & (z1 != 0xFFFFFFFFFFFFFULL)) {
   208          return 0;
   209      }
   210  
   211      t1 = r->n[1];
   212      t2 = r->n[2];
   213      t3 = r->n[3];
   214  
   215      t4 &= 0x0FFFFFFFFFFFFULL;
   216  
   217      t1 += (t0 >> 52);
   218      t2 += (t1 >> 52); t1 &= 0xFFFFFFFFFFFFFULL; z0 |= t1; z1 &= t1;
   219      t3 += (t2 >> 52); t2 &= 0xFFFFFFFFFFFFFULL; z0 |= t2; z1 &= t2;
   220      t4 += (t3 >> 52); t3 &= 0xFFFFFFFFFFFFFULL; z0 |= t3; z1 &= t3;
   221                                                  z0 |= t4; z1 &= t4 ^ 0xF000000000000ULL;
   222  
   223      /* ... except for a possible carry at bit 48 of t4 (i.e. bit 256 of the field element) */
   224      VERIFY_CHECK(t4 >> 49 == 0);
   225  
   226      return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL);
   227  }
   228  
   229  SECP256K1_INLINE static void vet_secp256k1_fe_set_int(vet_secp256k1_fe *r, int a) {
   230      r->n[0] = a;
   231      r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0;
   232  #ifdef VERIFY
   233      r->magnitude = 1;
   234      r->normalized = 1;
   235      vet_secp256k1_fe_verify(r);
   236  #endif
   237  }
   238  
   239  SECP256K1_INLINE static int vet_secp256k1_fe_is_zero(const vet_secp256k1_fe *a) {
   240      const uint64_t *t = a->n;
   241  #ifdef VERIFY
   242      VERIFY_CHECK(a->normalized);
   243      vet_secp256k1_fe_verify(a);
   244  #endif
   245      return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0;
   246  }
   247  
   248  SECP256K1_INLINE static int vet_secp256k1_fe_is_odd(const vet_secp256k1_fe *a) {
   249  #ifdef VERIFY
   250      VERIFY_CHECK(a->normalized);
   251      vet_secp256k1_fe_verify(a);
   252  #endif
   253      return a->n[0] & 1;
   254  }
   255  
   256  SECP256K1_INLINE static void vet_secp256k1_fe_clear(vet_secp256k1_fe *a) {
   257      int i;
   258  #ifdef VERIFY
   259      a->magnitude = 0;
   260      a->normalized = 1;
   261  #endif
   262      for (i=0; i<5; i++) {
   263          a->n[i] = 0;
   264      }
   265  }
   266  
   267  static int vet_secp256k1_fe_cmp_var(const vet_secp256k1_fe *a, const vet_secp256k1_fe *b) {
   268      int i;
   269  #ifdef VERIFY
   270      VERIFY_CHECK(a->normalized);
   271      VERIFY_CHECK(b->normalized);
   272      vet_secp256k1_fe_verify(a);
   273      vet_secp256k1_fe_verify(b);
   274  #endif
   275      for (i = 4; i >= 0; i--) {
   276          if (a->n[i] > b->n[i]) {
   277              return 1;
   278          }
   279          if (a->n[i] < b->n[i]) {
   280              return -1;
   281          }
   282      }
   283      return 0;
   284  }
   285  
   286  static int vet_secp256k1_fe_set_b32(vet_secp256k1_fe *r, const unsigned char *a) {
   287      int i;
   288      r->n[0] = r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0;
   289      for (i=0; i<32; i++) {
   290          int j;
   291          for (j=0; j<2; j++) {
   292              int limb = (8*i+4*j)/52;
   293              int shift = (8*i+4*j)%52;
   294              r->n[limb] |= (uint64_t)((a[31-i] >> (4*j)) & 0xF) << shift;
   295          }
   296      }
   297      if (r->n[4] == 0x0FFFFFFFFFFFFULL && (r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL && r->n[0] >= 0xFFFFEFFFFFC2FULL) {
   298          return 0;
   299      }
   300  #ifdef VERIFY
   301      r->magnitude = 1;
   302      r->normalized = 1;
   303      vet_secp256k1_fe_verify(r);
   304  #endif
   305      return 1;
   306  }
   307  
   308  /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */
   309  static void vet_secp256k1_fe_get_b32(unsigned char *r, const vet_secp256k1_fe *a) {
   310      int i;
   311  #ifdef VERIFY
   312      VERIFY_CHECK(a->normalized);
   313      vet_secp256k1_fe_verify(a);
   314  #endif
   315      for (i=0; i<32; i++) {
   316          int j;
   317          int c = 0;
   318          for (j=0; j<2; j++) {
   319              int limb = (8*i+4*j)/52;
   320              int shift = (8*i+4*j)%52;
   321              c |= ((a->n[limb] >> shift) & 0xF) << (4 * j);
   322          }
   323          r[31-i] = c;
   324      }
   325  }
   326  
   327  SECP256K1_INLINE static void vet_secp256k1_fe_negate(vet_secp256k1_fe *r, const vet_secp256k1_fe *a, int m) {
   328  #ifdef VERIFY
   329      VERIFY_CHECK(a->magnitude <= m);
   330      vet_secp256k1_fe_verify(a);
   331  #endif
   332      r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0];
   333      r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1];
   334      r->n[2] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[2];
   335      r->n[3] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[3];
   336      r->n[4] = 0x0FFFFFFFFFFFFULL * 2 * (m + 1) - a->n[4];
   337  #ifdef VERIFY
   338      r->magnitude = m + 1;
   339      r->normalized = 0;
   340      vet_secp256k1_fe_verify(r);
   341  #endif
   342  }
   343  
   344  SECP256K1_INLINE static void vet_secp256k1_fe_mul_int(vet_secp256k1_fe *r, int a) {
   345      r->n[0] *= a;
   346      r->n[1] *= a;
   347      r->n[2] *= a;
   348      r->n[3] *= a;
   349      r->n[4] *= a;
   350  #ifdef VERIFY
   351      r->magnitude *= a;
   352      r->normalized = 0;
   353      vet_secp256k1_fe_verify(r);
   354  #endif
   355  }
   356  
   357  SECP256K1_INLINE static void vet_secp256k1_fe_add(vet_secp256k1_fe *r, const vet_secp256k1_fe *a) {
   358  #ifdef VERIFY
   359      vet_secp256k1_fe_verify(a);
   360  #endif
   361      r->n[0] += a->n[0];
   362      r->n[1] += a->n[1];
   363      r->n[2] += a->n[2];
   364      r->n[3] += a->n[3];
   365      r->n[4] += a->n[4];
   366  #ifdef VERIFY
   367      r->magnitude += a->magnitude;
   368      r->normalized = 0;
   369      vet_secp256k1_fe_verify(r);
   370  #endif
   371  }
   372  
   373  static void vet_secp256k1_fe_mul(vet_secp256k1_fe *r, const vet_secp256k1_fe *a, const vet_secp256k1_fe * SECP256K1_RESTRICT b) {
   374  #ifdef VERIFY
   375      VERIFY_CHECK(a->magnitude <= 8);
   376      VERIFY_CHECK(b->magnitude <= 8);
   377      vet_secp256k1_fe_verify(a);
   378      vet_secp256k1_fe_verify(b);
   379      VERIFY_CHECK(r != b);
   380  #endif
   381      vet_secp256k1_fe_mul_inner(r->n, a->n, b->n);
   382  #ifdef VERIFY
   383      r->magnitude = 1;
   384      r->normalized = 0;
   385      vet_secp256k1_fe_verify(r);
   386  #endif
   387  }
   388  
   389  static void vet_secp256k1_fe_sqr(vet_secp256k1_fe *r, const vet_secp256k1_fe *a) {
   390  #ifdef VERIFY
   391      VERIFY_CHECK(a->magnitude <= 8);
   392      vet_secp256k1_fe_verify(a);
   393  #endif
   394      vet_secp256k1_fe_sqr_inner(r->n, a->n);
   395  #ifdef VERIFY
   396      r->magnitude = 1;
   397      r->normalized = 0;
   398      vet_secp256k1_fe_verify(r);
   399  #endif
   400  }
   401  
   402  static SECP256K1_INLINE void vet_secp256k1_fe_cmov(vet_secp256k1_fe *r, const vet_secp256k1_fe *a, int flag) {
   403      uint64_t mask0, mask1;
   404      mask0 = flag + ~((uint64_t)0);
   405      mask1 = ~mask0;
   406      r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
   407      r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
   408      r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
   409      r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
   410      r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
   411  #ifdef VERIFY
   412      if (a->magnitude > r->magnitude) {
   413          r->magnitude = a->magnitude;
   414      }
   415      r->normalized &= a->normalized;
   416  #endif
   417  }
   418  
   419  static SECP256K1_INLINE void vet_secp256k1_fe_storage_cmov(vet_secp256k1_fe_storage *r, const vet_secp256k1_fe_storage *a, int flag) {
   420      uint64_t mask0, mask1;
   421      mask0 = flag + ~((uint64_t)0);
   422      mask1 = ~mask0;
   423      r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
   424      r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
   425      r->n[2] = (r->n[2] & mask0) | (a->n[2] & mask1);
   426      r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
   427  }
   428  
   429  static void vet_secp256k1_fe_to_storage(vet_secp256k1_fe_storage *r, const vet_secp256k1_fe *a) {
   430  #ifdef VERIFY
   431      VERIFY_CHECK(a->normalized);
   432  #endif
   433      r->n[0] = a->n[0] | a->n[1] << 52;
   434      r->n[1] = a->n[1] >> 12 | a->n[2] << 40;
   435      r->n[2] = a->n[2] >> 24 | a->n[3] << 28;
   436      r->n[3] = a->n[3] >> 36 | a->n[4] << 16;
   437  }
   438  
   439  static SECP256K1_INLINE void vet_secp256k1_fe_from_storage(vet_secp256k1_fe *r, const vet_secp256k1_fe_storage *a) {
   440      r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL;
   441      r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL);
   442      r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL);
   443      r->n[3] = a->n[2] >> 28 | ((a->n[3] << 36) & 0xFFFFFFFFFFFFFULL);
   444      r->n[4] = a->n[3] >> 16;
   445  #ifdef VERIFY
   446      r->magnitude = 1;
   447      r->normalized = 1;
   448  #endif
   449  }
   450  
   451  #endif