github.com/luckypickle/go-ethereum-vet@v1.14.2/crypto/secp256k1/libsecp256k1/src/scalar_8x32_impl.h (about) 1 /********************************************************************** 2 * Copyright (c) 2014 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #ifndef _SECP256K1_SCALAR_REPR_IMPL_H_ 8 #define _SECP256K1_SCALAR_REPR_IMPL_H_ 9 10 /* Limbs of the secp256k1 order. */ 11 #define SECP256K1_N_0 ((uint32_t)0xD0364141UL) 12 #define SECP256K1_N_1 ((uint32_t)0xBFD25E8CUL) 13 #define SECP256K1_N_2 ((uint32_t)0xAF48A03BUL) 14 #define SECP256K1_N_3 ((uint32_t)0xBAAEDCE6UL) 15 #define SECP256K1_N_4 ((uint32_t)0xFFFFFFFEUL) 16 #define SECP256K1_N_5 ((uint32_t)0xFFFFFFFFUL) 17 #define SECP256K1_N_6 ((uint32_t)0xFFFFFFFFUL) 18 #define SECP256K1_N_7 ((uint32_t)0xFFFFFFFFUL) 19 20 /* Limbs of 2^256 minus the secp256k1 order. */ 21 #define SECP256K1_N_C_0 (~SECP256K1_N_0 + 1) 22 #define SECP256K1_N_C_1 (~SECP256K1_N_1) 23 #define SECP256K1_N_C_2 (~SECP256K1_N_2) 24 #define SECP256K1_N_C_3 (~SECP256K1_N_3) 25 #define SECP256K1_N_C_4 (1) 26 27 /* Limbs of half the secp256k1 order. */ 28 #define SECP256K1_N_H_0 ((uint32_t)0x681B20A0UL) 29 #define SECP256K1_N_H_1 ((uint32_t)0xDFE92F46UL) 30 #define SECP256K1_N_H_2 ((uint32_t)0x57A4501DUL) 31 #define SECP256K1_N_H_3 ((uint32_t)0x5D576E73UL) 32 #define SECP256K1_N_H_4 ((uint32_t)0xFFFFFFFFUL) 33 #define SECP256K1_N_H_5 ((uint32_t)0xFFFFFFFFUL) 34 #define SECP256K1_N_H_6 ((uint32_t)0xFFFFFFFFUL) 35 #define SECP256K1_N_H_7 ((uint32_t)0x7FFFFFFFUL) 36 37 SECP256K1_INLINE static void vet_secp256k1_scalar_clear(vet_secp256k1_scalar *r) { 38 r->d[0] = 0; 39 r->d[1] = 0; 40 r->d[2] = 0; 41 r->d[3] = 0; 42 r->d[4] = 0; 43 r->d[5] = 0; 44 r->d[6] = 0; 45 r->d[7] = 0; 46 } 47 48 SECP256K1_INLINE static void vet_secp256k1_scalar_set_int(vet_secp256k1_scalar *r, unsigned int v) { 49 r->d[0] = v; 50 r->d[1] = 0; 51 r->d[2] = 0; 52 r->d[3] = 0; 53 r->d[4] = 0; 54 r->d[5] = 0; 55 r->d[6] = 0; 56 r->d[7] = 0; 57 } 58 59 SECP256K1_INLINE static unsigned int vet_secp256k1_scalar_get_bits(const vet_secp256k1_scalar *a, unsigned int offset, unsigned int count) { 60 VERIFY_CHECK((offset + count - 1) >> 5 == offset >> 5); 61 return (a->d[offset >> 5] >> (offset & 0x1F)) & ((1 << count) - 1); 62 } 63 64 SECP256K1_INLINE static unsigned int vet_secp256k1_scalar_get_bits_var(const vet_secp256k1_scalar *a, unsigned int offset, unsigned int count) { 65 VERIFY_CHECK(count < 32); 66 VERIFY_CHECK(offset + count <= 256); 67 if ((offset + count - 1) >> 5 == offset >> 5) { 68 return vet_secp256k1_scalar_get_bits(a, offset, count); 69 } else { 70 VERIFY_CHECK((offset >> 5) + 1 < 8); 71 return ((a->d[offset >> 5] >> (offset & 0x1F)) | (a->d[(offset >> 5) + 1] << (32 - (offset & 0x1F)))) & ((((uint32_t)1) << count) - 1); 72 } 73 } 74 75 SECP256K1_INLINE static int vet_secp256k1_scalar_check_overflow(const vet_secp256k1_scalar *a) { 76 int yes = 0; 77 int no = 0; 78 no |= (a->d[7] < SECP256K1_N_7); /* No need for a > check. */ 79 no |= (a->d[6] < SECP256K1_N_6); /* No need for a > check. */ 80 no |= (a->d[5] < SECP256K1_N_5); /* No need for a > check. */ 81 no |= (a->d[4] < SECP256K1_N_4); 82 yes |= (a->d[4] > SECP256K1_N_4) & ~no; 83 no |= (a->d[3] < SECP256K1_N_3) & ~yes; 84 yes |= (a->d[3] > SECP256K1_N_3) & ~no; 85 no |= (a->d[2] < SECP256K1_N_2) & ~yes; 86 yes |= (a->d[2] > SECP256K1_N_2) & ~no; 87 no |= (a->d[1] < SECP256K1_N_1) & ~yes; 88 yes |= (a->d[1] > SECP256K1_N_1) & ~no; 89 yes |= (a->d[0] >= SECP256K1_N_0) & ~no; 90 return yes; 91 } 92 93 SECP256K1_INLINE static int vet_secp256k1_scalar_reduce(vet_secp256k1_scalar *r, uint32_t overflow) { 94 uint64_t t; 95 VERIFY_CHECK(overflow <= 1); 96 t = (uint64_t)r->d[0] + overflow * SECP256K1_N_C_0; 97 r->d[0] = t & 0xFFFFFFFFUL; t >>= 32; 98 t += (uint64_t)r->d[1] + overflow * SECP256K1_N_C_1; 99 r->d[1] = t & 0xFFFFFFFFUL; t >>= 32; 100 t += (uint64_t)r->d[2] + overflow * SECP256K1_N_C_2; 101 r->d[2] = t & 0xFFFFFFFFUL; t >>= 32; 102 t += (uint64_t)r->d[3] + overflow * SECP256K1_N_C_3; 103 r->d[3] = t & 0xFFFFFFFFUL; t >>= 32; 104 t += (uint64_t)r->d[4] + overflow * SECP256K1_N_C_4; 105 r->d[4] = t & 0xFFFFFFFFUL; t >>= 32; 106 t += (uint64_t)r->d[5]; 107 r->d[5] = t & 0xFFFFFFFFUL; t >>= 32; 108 t += (uint64_t)r->d[6]; 109 r->d[6] = t & 0xFFFFFFFFUL; t >>= 32; 110 t += (uint64_t)r->d[7]; 111 r->d[7] = t & 0xFFFFFFFFUL; 112 return overflow; 113 } 114 115 static int vet_secp256k1_scalar_add(vet_secp256k1_scalar *r, const vet_secp256k1_scalar *a, const vet_secp256k1_scalar *b) { 116 int overflow; 117 uint64_t t = (uint64_t)a->d[0] + b->d[0]; 118 r->d[0] = t & 0xFFFFFFFFULL; t >>= 32; 119 t += (uint64_t)a->d[1] + b->d[1]; 120 r->d[1] = t & 0xFFFFFFFFULL; t >>= 32; 121 t += (uint64_t)a->d[2] + b->d[2]; 122 r->d[2] = t & 0xFFFFFFFFULL; t >>= 32; 123 t += (uint64_t)a->d[3] + b->d[3]; 124 r->d[3] = t & 0xFFFFFFFFULL; t >>= 32; 125 t += (uint64_t)a->d[4] + b->d[4]; 126 r->d[4] = t & 0xFFFFFFFFULL; t >>= 32; 127 t += (uint64_t)a->d[5] + b->d[5]; 128 r->d[5] = t & 0xFFFFFFFFULL; t >>= 32; 129 t += (uint64_t)a->d[6] + b->d[6]; 130 r->d[6] = t & 0xFFFFFFFFULL; t >>= 32; 131 t += (uint64_t)a->d[7] + b->d[7]; 132 r->d[7] = t & 0xFFFFFFFFULL; t >>= 32; 133 overflow = t + vet_secp256k1_scalar_check_overflow(r); 134 VERIFY_CHECK(overflow == 0 || overflow == 1); 135 vet_secp256k1_scalar_reduce(r, overflow); 136 return overflow; 137 } 138 139 static void vet_secp256k1_scalar_cadd_bit(vet_secp256k1_scalar *r, unsigned int bit, int flag) { 140 uint64_t t; 141 VERIFY_CHECK(bit < 256); 142 bit += ((uint32_t) flag - 1) & 0x100; /* forcing (bit >> 5) > 7 makes this a noop */ 143 t = (uint64_t)r->d[0] + (((uint32_t)((bit >> 5) == 0)) << (bit & 0x1F)); 144 r->d[0] = t & 0xFFFFFFFFULL; t >>= 32; 145 t += (uint64_t)r->d[1] + (((uint32_t)((bit >> 5) == 1)) << (bit & 0x1F)); 146 r->d[1] = t & 0xFFFFFFFFULL; t >>= 32; 147 t += (uint64_t)r->d[2] + (((uint32_t)((bit >> 5) == 2)) << (bit & 0x1F)); 148 r->d[2] = t & 0xFFFFFFFFULL; t >>= 32; 149 t += (uint64_t)r->d[3] + (((uint32_t)((bit >> 5) == 3)) << (bit & 0x1F)); 150 r->d[3] = t & 0xFFFFFFFFULL; t >>= 32; 151 t += (uint64_t)r->d[4] + (((uint32_t)((bit >> 5) == 4)) << (bit & 0x1F)); 152 r->d[4] = t & 0xFFFFFFFFULL; t >>= 32; 153 t += (uint64_t)r->d[5] + (((uint32_t)((bit >> 5) == 5)) << (bit & 0x1F)); 154 r->d[5] = t & 0xFFFFFFFFULL; t >>= 32; 155 t += (uint64_t)r->d[6] + (((uint32_t)((bit >> 5) == 6)) << (bit & 0x1F)); 156 r->d[6] = t & 0xFFFFFFFFULL; t >>= 32; 157 t += (uint64_t)r->d[7] + (((uint32_t)((bit >> 5) == 7)) << (bit & 0x1F)); 158 r->d[7] = t & 0xFFFFFFFFULL; 159 #ifdef VERIFY 160 VERIFY_CHECK((t >> 32) == 0); 161 VERIFY_CHECK(vet_secp256k1_scalar_check_overflow(r) == 0); 162 #endif 163 } 164 165 static void vet_secp256k1_scalar_set_b32(vet_secp256k1_scalar *r, const unsigned char *b32, int *overflow) { 166 int over; 167 r->d[0] = (uint32_t)b32[31] | (uint32_t)b32[30] << 8 | (uint32_t)b32[29] << 16 | (uint32_t)b32[28] << 24; 168 r->d[1] = (uint32_t)b32[27] | (uint32_t)b32[26] << 8 | (uint32_t)b32[25] << 16 | (uint32_t)b32[24] << 24; 169 r->d[2] = (uint32_t)b32[23] | (uint32_t)b32[22] << 8 | (uint32_t)b32[21] << 16 | (uint32_t)b32[20] << 24; 170 r->d[3] = (uint32_t)b32[19] | (uint32_t)b32[18] << 8 | (uint32_t)b32[17] << 16 | (uint32_t)b32[16] << 24; 171 r->d[4] = (uint32_t)b32[15] | (uint32_t)b32[14] << 8 | (uint32_t)b32[13] << 16 | (uint32_t)b32[12] << 24; 172 r->d[5] = (uint32_t)b32[11] | (uint32_t)b32[10] << 8 | (uint32_t)b32[9] << 16 | (uint32_t)b32[8] << 24; 173 r->d[6] = (uint32_t)b32[7] | (uint32_t)b32[6] << 8 | (uint32_t)b32[5] << 16 | (uint32_t)b32[4] << 24; 174 r->d[7] = (uint32_t)b32[3] | (uint32_t)b32[2] << 8 | (uint32_t)b32[1] << 16 | (uint32_t)b32[0] << 24; 175 over = vet_secp256k1_scalar_reduce(r, vet_secp256k1_scalar_check_overflow(r)); 176 if (overflow) { 177 *overflow = over; 178 } 179 } 180 181 static void vet_secp256k1_scalar_get_b32(unsigned char *bin, const vet_secp256k1_scalar* a) { 182 bin[0] = a->d[7] >> 24; bin[1] = a->d[7] >> 16; bin[2] = a->d[7] >> 8; bin[3] = a->d[7]; 183 bin[4] = a->d[6] >> 24; bin[5] = a->d[6] >> 16; bin[6] = a->d[6] >> 8; bin[7] = a->d[6]; 184 bin[8] = a->d[5] >> 24; bin[9] = a->d[5] >> 16; bin[10] = a->d[5] >> 8; bin[11] = a->d[5]; 185 bin[12] = a->d[4] >> 24; bin[13] = a->d[4] >> 16; bin[14] = a->d[4] >> 8; bin[15] = a->d[4]; 186 bin[16] = a->d[3] >> 24; bin[17] = a->d[3] >> 16; bin[18] = a->d[3] >> 8; bin[19] = a->d[3]; 187 bin[20] = a->d[2] >> 24; bin[21] = a->d[2] >> 16; bin[22] = a->d[2] >> 8; bin[23] = a->d[2]; 188 bin[24] = a->d[1] >> 24; bin[25] = a->d[1] >> 16; bin[26] = a->d[1] >> 8; bin[27] = a->d[1]; 189 bin[28] = a->d[0] >> 24; bin[29] = a->d[0] >> 16; bin[30] = a->d[0] >> 8; bin[31] = a->d[0]; 190 } 191 192 SECP256K1_INLINE static int vet_secp256k1_scalar_is_zero(const vet_secp256k1_scalar *a) { 193 return (a->d[0] | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; 194 } 195 196 static void vet_secp256k1_scalar_negate(vet_secp256k1_scalar *r, const vet_secp256k1_scalar *a) { 197 uint32_t nonzero = 0xFFFFFFFFUL * (vet_secp256k1_scalar_is_zero(a) == 0); 198 uint64_t t = (uint64_t)(~a->d[0]) + SECP256K1_N_0 + 1; 199 r->d[0] = t & nonzero; t >>= 32; 200 t += (uint64_t)(~a->d[1]) + SECP256K1_N_1; 201 r->d[1] = t & nonzero; t >>= 32; 202 t += (uint64_t)(~a->d[2]) + SECP256K1_N_2; 203 r->d[2] = t & nonzero; t >>= 32; 204 t += (uint64_t)(~a->d[3]) + SECP256K1_N_3; 205 r->d[3] = t & nonzero; t >>= 32; 206 t += (uint64_t)(~a->d[4]) + SECP256K1_N_4; 207 r->d[4] = t & nonzero; t >>= 32; 208 t += (uint64_t)(~a->d[5]) + SECP256K1_N_5; 209 r->d[5] = t & nonzero; t >>= 32; 210 t += (uint64_t)(~a->d[6]) + SECP256K1_N_6; 211 r->d[6] = t & nonzero; t >>= 32; 212 t += (uint64_t)(~a->d[7]) + SECP256K1_N_7; 213 r->d[7] = t & nonzero; 214 } 215 216 SECP256K1_INLINE static int vet_secp256k1_scalar_is_one(const vet_secp256k1_scalar *a) { 217 return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; 218 } 219 220 static int vet_secp256k1_scalar_is_high(const vet_secp256k1_scalar *a) { 221 int yes = 0; 222 int no = 0; 223 no |= (a->d[7] < SECP256K1_N_H_7); 224 yes |= (a->d[7] > SECP256K1_N_H_7) & ~no; 225 no |= (a->d[6] < SECP256K1_N_H_6) & ~yes; /* No need for a > check. */ 226 no |= (a->d[5] < SECP256K1_N_H_5) & ~yes; /* No need for a > check. */ 227 no |= (a->d[4] < SECP256K1_N_H_4) & ~yes; /* No need for a > check. */ 228 no |= (a->d[3] < SECP256K1_N_H_3) & ~yes; 229 yes |= (a->d[3] > SECP256K1_N_H_3) & ~no; 230 no |= (a->d[2] < SECP256K1_N_H_2) & ~yes; 231 yes |= (a->d[2] > SECP256K1_N_H_2) & ~no; 232 no |= (a->d[1] < SECP256K1_N_H_1) & ~yes; 233 yes |= (a->d[1] > SECP256K1_N_H_1) & ~no; 234 yes |= (a->d[0] > SECP256K1_N_H_0) & ~no; 235 return yes; 236 } 237 238 static int vet_secp256k1_scalar_cond_negate(vet_secp256k1_scalar *r, int flag) { 239 /* If we are flag = 0, mask = 00...00 and this is a no-op; 240 * if we are flag = 1, mask = 11...11 and this is identical to secp256k1_scalar_negate */ 241 uint32_t mask = !flag - 1; 242 uint32_t nonzero = 0xFFFFFFFFUL * (vet_secp256k1_scalar_is_zero(r) == 0); 243 uint64_t t = (uint64_t)(r->d[0] ^ mask) + ((SECP256K1_N_0 + 1) & mask); 244 r->d[0] = t & nonzero; t >>= 32; 245 t += (uint64_t)(r->d[1] ^ mask) + (SECP256K1_N_1 & mask); 246 r->d[1] = t & nonzero; t >>= 32; 247 t += (uint64_t)(r->d[2] ^ mask) + (SECP256K1_N_2 & mask); 248 r->d[2] = t & nonzero; t >>= 32; 249 t += (uint64_t)(r->d[3] ^ mask) + (SECP256K1_N_3 & mask); 250 r->d[3] = t & nonzero; t >>= 32; 251 t += (uint64_t)(r->d[4] ^ mask) + (SECP256K1_N_4 & mask); 252 r->d[4] = t & nonzero; t >>= 32; 253 t += (uint64_t)(r->d[5] ^ mask) + (SECP256K1_N_5 & mask); 254 r->d[5] = t & nonzero; t >>= 32; 255 t += (uint64_t)(r->d[6] ^ mask) + (SECP256K1_N_6 & mask); 256 r->d[6] = t & nonzero; t >>= 32; 257 t += (uint64_t)(r->d[7] ^ mask) + (SECP256K1_N_7 & mask); 258 r->d[7] = t & nonzero; 259 return 2 * (mask == 0) - 1; 260 } 261 262 263 /* Inspired by the macros in OpenSSL's crypto/bn/asm/x86_64-gcc.c. */ 264 265 /** Add a*b to the number defined by (c0,c1,c2). c2 must never overflow. */ 266 #define muladd(a,b) { \ 267 uint32_t tl, th; \ 268 { \ 269 uint64_t t = (uint64_t)a * b; \ 270 th = t >> 32; /* at most 0xFFFFFFFE */ \ 271 tl = t; \ 272 } \ 273 c0 += tl; /* overflow is handled on the next line */ \ 274 th += (c0 < tl) ? 1 : 0; /* at most 0xFFFFFFFF */ \ 275 c1 += th; /* overflow is handled on the next line */ \ 276 c2 += (c1 < th) ? 1 : 0; /* never overflows by contract (verified in the next line) */ \ 277 VERIFY_CHECK((c1 >= th) || (c2 != 0)); \ 278 } 279 280 /** Add a*b to the number defined by (c0,c1). c1 must never overflow. */ 281 #define muladd_fast(a,b) { \ 282 uint32_t tl, th; \ 283 { \ 284 uint64_t t = (uint64_t)a * b; \ 285 th = t >> 32; /* at most 0xFFFFFFFE */ \ 286 tl = t; \ 287 } \ 288 c0 += tl; /* overflow is handled on the next line */ \ 289 th += (c0 < tl) ? 1 : 0; /* at most 0xFFFFFFFF */ \ 290 c1 += th; /* never overflows by contract (verified in the next line) */ \ 291 VERIFY_CHECK(c1 >= th); \ 292 } 293 294 /** Add 2*a*b to the number defined by (c0,c1,c2). c2 must never overflow. */ 295 #define muladd2(a,b) { \ 296 uint32_t tl, th, th2, tl2; \ 297 { \ 298 uint64_t t = (uint64_t)a * b; \ 299 th = t >> 32; /* at most 0xFFFFFFFE */ \ 300 tl = t; \ 301 } \ 302 th2 = th + th; /* at most 0xFFFFFFFE (in case th was 0x7FFFFFFF) */ \ 303 c2 += (th2 < th) ? 1 : 0; /* never overflows by contract (verified the next line) */ \ 304 VERIFY_CHECK((th2 >= th) || (c2 != 0)); \ 305 tl2 = tl + tl; /* at most 0xFFFFFFFE (in case the lowest 63 bits of tl were 0x7FFFFFFF) */ \ 306 th2 += (tl2 < tl) ? 1 : 0; /* at most 0xFFFFFFFF */ \ 307 c0 += tl2; /* overflow is handled on the next line */ \ 308 th2 += (c0 < tl2) ? 1 : 0; /* second overflow is handled on the next line */ \ 309 c2 += (c0 < tl2) & (th2 == 0); /* never overflows by contract (verified the next line) */ \ 310 VERIFY_CHECK((c0 >= tl2) || (th2 != 0) || (c2 != 0)); \ 311 c1 += th2; /* overflow is handled on the next line */ \ 312 c2 += (c1 < th2) ? 1 : 0; /* never overflows by contract (verified the next line) */ \ 313 VERIFY_CHECK((c1 >= th2) || (c2 != 0)); \ 314 } 315 316 /** Add a to the number defined by (c0,c1,c2). c2 must never overflow. */ 317 #define sumadd(a) { \ 318 unsigned int over; \ 319 c0 += (a); /* overflow is handled on the next line */ \ 320 over = (c0 < (a)) ? 1 : 0; \ 321 c1 += over; /* overflow is handled on the next line */ \ 322 c2 += (c1 < over) ? 1 : 0; /* never overflows by contract */ \ 323 } 324 325 /** Add a to the number defined by (c0,c1). c1 must never overflow, c2 must be zero. */ 326 #define sumadd_fast(a) { \ 327 c0 += (a); /* overflow is handled on the next line */ \ 328 c1 += (c0 < (a)) ? 1 : 0; /* never overflows by contract (verified the next line) */ \ 329 VERIFY_CHECK((c1 != 0) | (c0 >= (a))); \ 330 VERIFY_CHECK(c2 == 0); \ 331 } 332 333 /** Extract the lowest 32 bits of (c0,c1,c2) into n, and left shift the number 32 bits. */ 334 #define extract(n) { \ 335 (n) = c0; \ 336 c0 = c1; \ 337 c1 = c2; \ 338 c2 = 0; \ 339 } 340 341 /** Extract the lowest 32 bits of (c0,c1,c2) into n, and left shift the number 32 bits. c2 is required to be zero. */ 342 #define extract_fast(n) { \ 343 (n) = c0; \ 344 c0 = c1; \ 345 c1 = 0; \ 346 VERIFY_CHECK(c2 == 0); \ 347 } 348 349 static void vet_secp256k1_scalar_reduce_512(vet_secp256k1_scalar *r, const uint32_t *l) { 350 uint64_t c; 351 uint32_t n0 = l[8], n1 = l[9], n2 = l[10], n3 = l[11], n4 = l[12], n5 = l[13], n6 = l[14], n7 = l[15]; 352 uint32_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9, m10, m11, m12; 353 uint32_t p0, p1, p2, p3, p4, p5, p6, p7, p8; 354 355 /* 96 bit accumulator. */ 356 uint32_t c0, c1, c2; 357 358 /* Reduce 512 bits into 385. */ 359 /* m[0..12] = l[0..7] + n[0..7] * SECP256K1_N_C. */ 360 c0 = l[0]; c1 = 0; c2 = 0; 361 muladd_fast(n0, SECP256K1_N_C_0); 362 extract_fast(m0); 363 sumadd_fast(l[1]); 364 muladd(n1, SECP256K1_N_C_0); 365 muladd(n0, SECP256K1_N_C_1); 366 extract(m1); 367 sumadd(l[2]); 368 muladd(n2, SECP256K1_N_C_0); 369 muladd(n1, SECP256K1_N_C_1); 370 muladd(n0, SECP256K1_N_C_2); 371 extract(m2); 372 sumadd(l[3]); 373 muladd(n3, SECP256K1_N_C_0); 374 muladd(n2, SECP256K1_N_C_1); 375 muladd(n1, SECP256K1_N_C_2); 376 muladd(n0, SECP256K1_N_C_3); 377 extract(m3); 378 sumadd(l[4]); 379 muladd(n4, SECP256K1_N_C_0); 380 muladd(n3, SECP256K1_N_C_1); 381 muladd(n2, SECP256K1_N_C_2); 382 muladd(n1, SECP256K1_N_C_3); 383 sumadd(n0); 384 extract(m4); 385 sumadd(l[5]); 386 muladd(n5, SECP256K1_N_C_0); 387 muladd(n4, SECP256K1_N_C_1); 388 muladd(n3, SECP256K1_N_C_2); 389 muladd(n2, SECP256K1_N_C_3); 390 sumadd(n1); 391 extract(m5); 392 sumadd(l[6]); 393 muladd(n6, SECP256K1_N_C_0); 394 muladd(n5, SECP256K1_N_C_1); 395 muladd(n4, SECP256K1_N_C_2); 396 muladd(n3, SECP256K1_N_C_3); 397 sumadd(n2); 398 extract(m6); 399 sumadd(l[7]); 400 muladd(n7, SECP256K1_N_C_0); 401 muladd(n6, SECP256K1_N_C_1); 402 muladd(n5, SECP256K1_N_C_2); 403 muladd(n4, SECP256K1_N_C_3); 404 sumadd(n3); 405 extract(m7); 406 muladd(n7, SECP256K1_N_C_1); 407 muladd(n6, SECP256K1_N_C_2); 408 muladd(n5, SECP256K1_N_C_3); 409 sumadd(n4); 410 extract(m8); 411 muladd(n7, SECP256K1_N_C_2); 412 muladd(n6, SECP256K1_N_C_3); 413 sumadd(n5); 414 extract(m9); 415 muladd(n7, SECP256K1_N_C_3); 416 sumadd(n6); 417 extract(m10); 418 sumadd_fast(n7); 419 extract_fast(m11); 420 VERIFY_CHECK(c0 <= 1); 421 m12 = c0; 422 423 /* Reduce 385 bits into 258. */ 424 /* p[0..8] = m[0..7] + m[8..12] * SECP256K1_N_C. */ 425 c0 = m0; c1 = 0; c2 = 0; 426 muladd_fast(m8, SECP256K1_N_C_0); 427 extract_fast(p0); 428 sumadd_fast(m1); 429 muladd(m9, SECP256K1_N_C_0); 430 muladd(m8, SECP256K1_N_C_1); 431 extract(p1); 432 sumadd(m2); 433 muladd(m10, SECP256K1_N_C_0); 434 muladd(m9, SECP256K1_N_C_1); 435 muladd(m8, SECP256K1_N_C_2); 436 extract(p2); 437 sumadd(m3); 438 muladd(m11, SECP256K1_N_C_0); 439 muladd(m10, SECP256K1_N_C_1); 440 muladd(m9, SECP256K1_N_C_2); 441 muladd(m8, SECP256K1_N_C_3); 442 extract(p3); 443 sumadd(m4); 444 muladd(m12, SECP256K1_N_C_0); 445 muladd(m11, SECP256K1_N_C_1); 446 muladd(m10, SECP256K1_N_C_2); 447 muladd(m9, SECP256K1_N_C_3); 448 sumadd(m8); 449 extract(p4); 450 sumadd(m5); 451 muladd(m12, SECP256K1_N_C_1); 452 muladd(m11, SECP256K1_N_C_2); 453 muladd(m10, SECP256K1_N_C_3); 454 sumadd(m9); 455 extract(p5); 456 sumadd(m6); 457 muladd(m12, SECP256K1_N_C_2); 458 muladd(m11, SECP256K1_N_C_3); 459 sumadd(m10); 460 extract(p6); 461 sumadd_fast(m7); 462 muladd_fast(m12, SECP256K1_N_C_3); 463 sumadd_fast(m11); 464 extract_fast(p7); 465 p8 = c0 + m12; 466 VERIFY_CHECK(p8 <= 2); 467 468 /* Reduce 258 bits into 256. */ 469 /* r[0..7] = p[0..7] + p[8] * SECP256K1_N_C. */ 470 c = p0 + (uint64_t)SECP256K1_N_C_0 * p8; 471 r->d[0] = c & 0xFFFFFFFFUL; c >>= 32; 472 c += p1 + (uint64_t)SECP256K1_N_C_1 * p8; 473 r->d[1] = c & 0xFFFFFFFFUL; c >>= 32; 474 c += p2 + (uint64_t)SECP256K1_N_C_2 * p8; 475 r->d[2] = c & 0xFFFFFFFFUL; c >>= 32; 476 c += p3 + (uint64_t)SECP256K1_N_C_3 * p8; 477 r->d[3] = c & 0xFFFFFFFFUL; c >>= 32; 478 c += p4 + (uint64_t)p8; 479 r->d[4] = c & 0xFFFFFFFFUL; c >>= 32; 480 c += p5; 481 r->d[5] = c & 0xFFFFFFFFUL; c >>= 32; 482 c += p6; 483 r->d[6] = c & 0xFFFFFFFFUL; c >>= 32; 484 c += p7; 485 r->d[7] = c & 0xFFFFFFFFUL; c >>= 32; 486 487 /* Final reduction of r. */ 488 vet_secp256k1_scalar_reduce(r, c + vet_secp256k1_scalar_check_overflow(r)); 489 } 490 491 static void vet_secp256k1_scalar_mul_512(uint32_t *l, const vet_secp256k1_scalar *a, const vet_secp256k1_scalar *b) { 492 /* 96 bit accumulator. */ 493 uint32_t c0 = 0, c1 = 0, c2 = 0; 494 495 /* l[0..15] = a[0..7] * b[0..7]. */ 496 muladd_fast(a->d[0], b->d[0]); 497 extract_fast(l[0]); 498 muladd(a->d[0], b->d[1]); 499 muladd(a->d[1], b->d[0]); 500 extract(l[1]); 501 muladd(a->d[0], b->d[2]); 502 muladd(a->d[1], b->d[1]); 503 muladd(a->d[2], b->d[0]); 504 extract(l[2]); 505 muladd(a->d[0], b->d[3]); 506 muladd(a->d[1], b->d[2]); 507 muladd(a->d[2], b->d[1]); 508 muladd(a->d[3], b->d[0]); 509 extract(l[3]); 510 muladd(a->d[0], b->d[4]); 511 muladd(a->d[1], b->d[3]); 512 muladd(a->d[2], b->d[2]); 513 muladd(a->d[3], b->d[1]); 514 muladd(a->d[4], b->d[0]); 515 extract(l[4]); 516 muladd(a->d[0], b->d[5]); 517 muladd(a->d[1], b->d[4]); 518 muladd(a->d[2], b->d[3]); 519 muladd(a->d[3], b->d[2]); 520 muladd(a->d[4], b->d[1]); 521 muladd(a->d[5], b->d[0]); 522 extract(l[5]); 523 muladd(a->d[0], b->d[6]); 524 muladd(a->d[1], b->d[5]); 525 muladd(a->d[2], b->d[4]); 526 muladd(a->d[3], b->d[3]); 527 muladd(a->d[4], b->d[2]); 528 muladd(a->d[5], b->d[1]); 529 muladd(a->d[6], b->d[0]); 530 extract(l[6]); 531 muladd(a->d[0], b->d[7]); 532 muladd(a->d[1], b->d[6]); 533 muladd(a->d[2], b->d[5]); 534 muladd(a->d[3], b->d[4]); 535 muladd(a->d[4], b->d[3]); 536 muladd(a->d[5], b->d[2]); 537 muladd(a->d[6], b->d[1]); 538 muladd(a->d[7], b->d[0]); 539 extract(l[7]); 540 muladd(a->d[1], b->d[7]); 541 muladd(a->d[2], b->d[6]); 542 muladd(a->d[3], b->d[5]); 543 muladd(a->d[4], b->d[4]); 544 muladd(a->d[5], b->d[3]); 545 muladd(a->d[6], b->d[2]); 546 muladd(a->d[7], b->d[1]); 547 extract(l[8]); 548 muladd(a->d[2], b->d[7]); 549 muladd(a->d[3], b->d[6]); 550 muladd(a->d[4], b->d[5]); 551 muladd(a->d[5], b->d[4]); 552 muladd(a->d[6], b->d[3]); 553 muladd(a->d[7], b->d[2]); 554 extract(l[9]); 555 muladd(a->d[3], b->d[7]); 556 muladd(a->d[4], b->d[6]); 557 muladd(a->d[5], b->d[5]); 558 muladd(a->d[6], b->d[4]); 559 muladd(a->d[7], b->d[3]); 560 extract(l[10]); 561 muladd(a->d[4], b->d[7]); 562 muladd(a->d[5], b->d[6]); 563 muladd(a->d[6], b->d[5]); 564 muladd(a->d[7], b->d[4]); 565 extract(l[11]); 566 muladd(a->d[5], b->d[7]); 567 muladd(a->d[6], b->d[6]); 568 muladd(a->d[7], b->d[5]); 569 extract(l[12]); 570 muladd(a->d[6], b->d[7]); 571 muladd(a->d[7], b->d[6]); 572 extract(l[13]); 573 muladd_fast(a->d[7], b->d[7]); 574 extract_fast(l[14]); 575 VERIFY_CHECK(c1 == 0); 576 l[15] = c0; 577 } 578 579 static void vet_secp256k1_scalar_sqr_512(uint32_t *l, const vet_secp256k1_scalar *a) { 580 /* 96 bit accumulator. */ 581 uint32_t c0 = 0, c1 = 0, c2 = 0; 582 583 /* l[0..15] = a[0..7]^2. */ 584 muladd_fast(a->d[0], a->d[0]); 585 extract_fast(l[0]); 586 muladd2(a->d[0], a->d[1]); 587 extract(l[1]); 588 muladd2(a->d[0], a->d[2]); 589 muladd(a->d[1], a->d[1]); 590 extract(l[2]); 591 muladd2(a->d[0], a->d[3]); 592 muladd2(a->d[1], a->d[2]); 593 extract(l[3]); 594 muladd2(a->d[0], a->d[4]); 595 muladd2(a->d[1], a->d[3]); 596 muladd(a->d[2], a->d[2]); 597 extract(l[4]); 598 muladd2(a->d[0], a->d[5]); 599 muladd2(a->d[1], a->d[4]); 600 muladd2(a->d[2], a->d[3]); 601 extract(l[5]); 602 muladd2(a->d[0], a->d[6]); 603 muladd2(a->d[1], a->d[5]); 604 muladd2(a->d[2], a->d[4]); 605 muladd(a->d[3], a->d[3]); 606 extract(l[6]); 607 muladd2(a->d[0], a->d[7]); 608 muladd2(a->d[1], a->d[6]); 609 muladd2(a->d[2], a->d[5]); 610 muladd2(a->d[3], a->d[4]); 611 extract(l[7]); 612 muladd2(a->d[1], a->d[7]); 613 muladd2(a->d[2], a->d[6]); 614 muladd2(a->d[3], a->d[5]); 615 muladd(a->d[4], a->d[4]); 616 extract(l[8]); 617 muladd2(a->d[2], a->d[7]); 618 muladd2(a->d[3], a->d[6]); 619 muladd2(a->d[4], a->d[5]); 620 extract(l[9]); 621 muladd2(a->d[3], a->d[7]); 622 muladd2(a->d[4], a->d[6]); 623 muladd(a->d[5], a->d[5]); 624 extract(l[10]); 625 muladd2(a->d[4], a->d[7]); 626 muladd2(a->d[5], a->d[6]); 627 extract(l[11]); 628 muladd2(a->d[5], a->d[7]); 629 muladd(a->d[6], a->d[6]); 630 extract(l[12]); 631 muladd2(a->d[6], a->d[7]); 632 extract(l[13]); 633 muladd_fast(a->d[7], a->d[7]); 634 extract_fast(l[14]); 635 VERIFY_CHECK(c1 == 0); 636 l[15] = c0; 637 } 638 639 #undef sumadd 640 #undef sumadd_fast 641 #undef muladd 642 #undef muladd_fast 643 #undef muladd2 644 #undef extract 645 #undef extract_fast 646 647 static void vet_secp256k1_scalar_mul(vet_secp256k1_scalar *r, const vet_secp256k1_scalar *a, const vet_secp256k1_scalar *b) { 648 uint32_t l[16]; 649 vet_secp256k1_scalar_mul_512(l, a, b); 650 vet_secp256k1_scalar_reduce_512(r, l); 651 } 652 653 static int vet_secp256k1_scalar_shr_int(vet_secp256k1_scalar *r, int n) { 654 int ret; 655 VERIFY_CHECK(n > 0); 656 VERIFY_CHECK(n < 16); 657 ret = r->d[0] & ((1 << n) - 1); 658 r->d[0] = (r->d[0] >> n) + (r->d[1] << (32 - n)); 659 r->d[1] = (r->d[1] >> n) + (r->d[2] << (32 - n)); 660 r->d[2] = (r->d[2] >> n) + (r->d[3] << (32 - n)); 661 r->d[3] = (r->d[3] >> n) + (r->d[4] << (32 - n)); 662 r->d[4] = (r->d[4] >> n) + (r->d[5] << (32 - n)); 663 r->d[5] = (r->d[5] >> n) + (r->d[6] << (32 - n)); 664 r->d[6] = (r->d[6] >> n) + (r->d[7] << (32 - n)); 665 r->d[7] = (r->d[7] >> n); 666 return ret; 667 } 668 669 static void vet_secp256k1_scalar_sqr(vet_secp256k1_scalar *r, const vet_secp256k1_scalar *a) { 670 uint32_t l[16]; 671 vet_secp256k1_scalar_sqr_512(l, a); 672 vet_secp256k1_scalar_reduce_512(r, l); 673 } 674 675 #ifdef USE_ENDOMORPHISM 676 static void vet_secp256k1_scalar_split_128(vet_secp256k1_scalar *r1, vet_secp256k1_scalar *r2, const vet_secp256k1_scalar *a) { 677 r1->d[0] = a->d[0]; 678 r1->d[1] = a->d[1]; 679 r1->d[2] = a->d[2]; 680 r1->d[3] = a->d[3]; 681 r1->d[4] = 0; 682 r1->d[5] = 0; 683 r1->d[6] = 0; 684 r1->d[7] = 0; 685 r2->d[0] = a->d[4]; 686 r2->d[1] = a->d[5]; 687 r2->d[2] = a->d[6]; 688 r2->d[3] = a->d[7]; 689 r2->d[4] = 0; 690 r2->d[5] = 0; 691 r2->d[6] = 0; 692 r2->d[7] = 0; 693 } 694 #endif 695 696 SECP256K1_INLINE static int vet_secp256k1_scalar_eq(const vet_secp256k1_scalar *a, const vet_secp256k1_scalar *b) { 697 return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3]) | (a->d[4] ^ b->d[4]) | (a->d[5] ^ b->d[5]) | (a->d[6] ^ b->d[6]) | (a->d[7] ^ b->d[7])) == 0; 698 } 699 700 SECP256K1_INLINE static void vet_secp256k1_scalar_mul_shift_var(vet_secp256k1_scalar *r, const vet_secp256k1_scalar *a, const vet_secp256k1_scalar *b, unsigned int shift) { 701 uint32_t l[16]; 702 unsigned int shiftlimbs; 703 unsigned int shiftlow; 704 unsigned int shifthigh; 705 VERIFY_CHECK(shift >= 256); 706 vet_secp256k1_scalar_mul_512(l, a, b); 707 shiftlimbs = shift >> 5; 708 shiftlow = shift & 0x1F; 709 shifthigh = 32 - shiftlow; 710 r->d[0] = shift < 512 ? (l[0 + shiftlimbs] >> shiftlow | (shift < 480 && shiftlow ? (l[1 + shiftlimbs] << shifthigh) : 0)) : 0; 711 r->d[1] = shift < 480 ? (l[1 + shiftlimbs] >> shiftlow | (shift < 448 && shiftlow ? (l[2 + shiftlimbs] << shifthigh) : 0)) : 0; 712 r->d[2] = shift < 448 ? (l[2 + shiftlimbs] >> shiftlow | (shift < 416 && shiftlow ? (l[3 + shiftlimbs] << shifthigh) : 0)) : 0; 713 r->d[3] = shift < 416 ? (l[3 + shiftlimbs] >> shiftlow | (shift < 384 && shiftlow ? (l[4 + shiftlimbs] << shifthigh) : 0)) : 0; 714 r->d[4] = shift < 384 ? (l[4 + shiftlimbs] >> shiftlow | (shift < 352 && shiftlow ? (l[5 + shiftlimbs] << shifthigh) : 0)) : 0; 715 r->d[5] = shift < 352 ? (l[5 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[6 + shiftlimbs] << shifthigh) : 0)) : 0; 716 r->d[6] = shift < 320 ? (l[6 + shiftlimbs] >> shiftlow | (shift < 288 && shiftlow ? (l[7 + shiftlimbs] << shifthigh) : 0)) : 0; 717 r->d[7] = shift < 288 ? (l[7 + shiftlimbs] >> shiftlow) : 0; 718 vet_secp256k1_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 5] >> ((shift - 1) & 0x1f)) & 1); 719 } 720 721 #endif