boxtec
/
bitcoin
mirror of https://github.com/bitcoin/bitcoin
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

Move lambda-splitting code to scalar.

Browse Source 
It's not really an operation on group elements.
pull/11871/head
Pieter Wuille 10 years ago
parent f24041d6aa
commit 4285a98722
5 changed files with 76 additions and 53 deletions
Show Stats Download Patch File Download Diff File

5
src/group.h
Unescape View File

@ -34,7 +34,6 @@ typedef struct {
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
/* constants related to secp256k1's efficiently computable endomorphism */ /* constants related to secp256k1's efficiently computable endomorphism */
secp256k1_fe_t beta; secp256k1_fe_t beta;
secp256k1_num_t lambda, a1b2, b1, a2;
#endif #endif
} secp256k1_ge_consts_t; } secp256k1_ge_consts_t;
@ -112,10 +111,6 @@ static void secp256k1_gej_get_hex(char *r, int *rlen, const secp256k1_gej_t *a);
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
/** Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. */ /** Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. */
static void secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *a); static void secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *a);
/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (given that a is
not more than 256 bits). */
static void secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a);
#endif #endif
/** Clear a secp256k1_gej_t to prevent leaking sensitive information. */ /** Clear a secp256k1_gej_t to prevent leaking sensitive information. */

47
src/group_impl.h
Unescape View File

@ -414,30 +414,6 @@ static void secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *
*r = *a; *r = *a;
secp256k1_fe_mul(&r->x, &r->x, beta); secp256k1_fe_mul(&r->x, &r->x, beta);
} }
static void secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a) {
const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
secp256k1_num_t bnc1, bnc2, bnt1, bnt2, bnn2;
secp256k1_num_copy(&bnn2, &c->order);
secp256k1_num_shift(&bnn2, 1);
secp256k1_num_mul(&bnc1, a, &c->a1b2);
secp256k1_num_add(&bnc1, &bnc1, &bnn2);
secp256k1_num_div(&bnc1, &bnc1, &c->order);
secp256k1_num_mul(&bnc2, a, &c->b1);
secp256k1_num_add(&bnc2, &bnc2, &bnn2);
secp256k1_num_div(&bnc2, &bnc2, &c->order);
secp256k1_num_mul(&bnt1, &bnc1, &c->a1b2);
secp256k1_num_mul(&bnt2, &bnc2, &c->a2);
secp256k1_num_add(&bnt1, &bnt1, &bnt2);
secp256k1_num_sub(r1, a, &bnt1);
secp256k1_num_mul(&bnt1, &bnc1, &c->b1);
secp256k1_num_mul(&bnt2, &bnc2, &c->a1b2);
secp256k1_num_sub(r2, &bnt1, &bnt2);
}
#endif #endif
@ -462,31 +438,12 @@ static void secp256k1_ge_start(void) {
}; };
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
/* properties of secp256k1's efficiently computable endomorphism */ /* properties of secp256k1's efficiently computable endomorphism */
static const unsigned char secp256k1_ge_consts_lambda[] = {
0x53,0x63,0xad,0x4c,0xc0,0x5c,0x30,0xe0,
0xa5,0x26,0x1c,0x02,0x88,0x12,0x64,0x5a,
0x12,0x2e,0x22,0xea,0x20,0x81,0x66,0x78,
0xdf,0x02,0x96,0x7c,0x1b,0x23,0xbd,0x72
};
static const unsigned char secp256k1_ge_consts_beta[] = { static const unsigned char secp256k1_ge_consts_beta[] = {
0x7a,0xe9,0x6a,0x2b,0x65,0x7c,0x07,0x10, 0x7a,0xe9,0x6a,0x2b,0x65,0x7c,0x07,0x10,
0x6e,0x64,0x47,0x9e,0xac,0x34,0x34,0xe9, 0x6e,0x64,0x47,0x9e,0xac,0x34,0x34,0xe9,
0x9c,0xf0,0x49,0x75,0x12,0xf5,0x89,0x95, 0x9c,0xf0,0x49,0x75,0x12,0xf5,0x89,0x95,
0xc1,0x39,0x6c,0x28,0x71,0x95,0x01,0xee 0xc1,0x39,0x6c,0x28,0x71,0x95,0x01,0xee
}; };
static const unsigned char secp256k1_ge_consts_a1b2[] = {
0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd,
0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15
};
static const unsigned char secp256k1_ge_consts_b1[] = {
0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28,
0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3
};
static const unsigned char secp256k1_ge_consts_a2[] = {
0x01,
0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3,0xf6,
0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf,0xd8
};
#endif #endif
if (secp256k1_ge_consts == NULL) { if (secp256k1_ge_consts == NULL) {
secp256k1_ge_consts_t *ret = (secp256k1_ge_consts_t*)malloc(sizeof(secp256k1_ge_consts_t)); secp256k1_ge_consts_t *ret = (secp256k1_ge_consts_t*)malloc(sizeof(secp256k1_ge_consts_t));
@ -494,10 +451,6 @@ static void secp256k1_ge_start(void) {
secp256k1_num_copy(&ret->half_order, &ret->order); secp256k1_num_copy(&ret->half_order, &ret->order);
secp256k1_num_shift(&ret->half_order, 1); secp256k1_num_shift(&ret->half_order, 1);
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
secp256k1_num_set_bin(&ret->lambda, secp256k1_ge_consts_lambda, sizeof(secp256k1_ge_consts_lambda));
secp256k1_num_set_bin(&ret->a1b2, secp256k1_ge_consts_a1b2, sizeof(secp256k1_ge_consts_a1b2));
secp256k1_num_set_bin(&ret->a2, secp256k1_ge_consts_a2, sizeof(secp256k1_ge_consts_a2));
secp256k1_num_set_bin(&ret->b1, secp256k1_ge_consts_b1, sizeof(secp256k1_ge_consts_b1));
VERIFY_CHECK(secp256k1_fe_set_b32(&ret->beta, secp256k1_ge_consts_beta)); VERIFY_CHECK(secp256k1_fe_set_b32(&ret->beta, secp256k1_ge_consts_beta));
#endif #endif
secp256k1_fe_t g_x, g_y; secp256k1_fe_t g_x, g_y;

3
src/scalar.h
Unescape View File

@ -21,6 +21,9 @@
#error "Please select scalar implementation" #error "Please select scalar implementation"
#endif #endif
static void secp256k1_scalar_start(void);
static void secp256k1_scalar_stop(void);
/** Clear a scalar to prevent the leak of sensitive data. */ /** Clear a scalar to prevent the leak of sensitive data. */
static void secp256k1_scalar_clear(secp256k1_scalar_t *r); static void secp256k1_scalar_clear(secp256k1_scalar_t *r);

72
src/scalar_impl.h
Unescape View File

@ -24,6 +24,54 @@
#error "Please select scalar implementation" #error "Please select scalar implementation"
#endif #endif
typedef struct {
#ifdef USE_ENDOMORPHISM
secp256k1_num_t a1b2, b1, a2;
#endif
} secp256k1_scalar_consts_t;
static const secp256k1_scalar_consts_t *secp256k1_scalar_consts = NULL;
static void secp256k1_scalar_start(void) {
if (secp256k1_scalar_consts != NULL)
return;
/* Allocate. */
secp256k1_scalar_consts_t *ret = (secp256k1_scalar_consts_t*)malloc(sizeof(secp256k1_scalar_consts_t));
#ifdef USE_ENDOMORPHISM
static const unsigned char secp256k1_scalar_consts_a1b2[] = {
0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd,
0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15
};
static const unsigned char secp256k1_scalar_consts_b1[] = {
0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28,
0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3
};
static const unsigned char secp256k1_scalar_consts_a2[] = {
0x01,
0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3,0xf6,
0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf,0xd8
};
secp256k1_num_set_bin(&ret->a1b2, secp256k1_scalar_consts_a1b2, sizeof(secp256k1_scalar_consts_a1b2));
secp256k1_num_set_bin(&ret->a2, secp256k1_scalar_consts_a2, sizeof(secp256k1_scalar_consts_a2));
secp256k1_num_set_bin(&ret->b1, secp256k1_scalar_consts_b1, sizeof(secp256k1_scalar_consts_b1));
#endif
/* Set the global pointer. */
secp256k1_scalar_consts = ret;
}
static void secp256k1_scalar_stop(void) {
if (secp256k1_scalar_consts == NULL)
return;
secp256k1_scalar_consts_t *c = (secp256k1_scalar_consts_t*)secp256k1_scalar_consts;
secp256k1_scalar_consts = NULL;
free(c);
}
static void secp256k1_scalar_get_num(secp256k1_num_t *r, const secp256k1_scalar_t *a) { static void secp256k1_scalar_get_num(secp256k1_num_t *r, const secp256k1_scalar_t *a) {
unsigned char c[32]; unsigned char c[32];
secp256k1_scalar_get_b32(c, a); secp256k1_scalar_get_b32(c, a);
@ -206,7 +254,29 @@ static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_
secp256k1_num_set_bin(&na, b, 32); secp256k1_num_set_bin(&na, b, 32);
secp256k1_num_t rn1, rn2; secp256k1_num_t rn1, rn2;
secp256k1_gej_split_exp_var(&rn1, &rn2, &na);
const secp256k1_scalar_consts_t *c = secp256k1_scalar_consts;
const secp256k1_num_t *order = &secp256k1_ge_consts->order;
secp256k1_num_t bnc1, bnc2, bnt1, bnt2, bnn2;
secp256k1_num_copy(&bnn2, order);
secp256k1_num_shift(&bnn2, 1);
secp256k1_num_mul(&bnc1, &na, &c->a1b2);
secp256k1_num_add(&bnc1, &bnc1, &bnn2);
secp256k1_num_div(&bnc1, &bnc1, order);
secp256k1_num_mul(&bnc2, &na, &c->b1);
secp256k1_num_add(&bnc2, &bnc2, &bnn2);
secp256k1_num_div(&bnc2, &bnc2, order);
secp256k1_num_mul(&bnt1, &bnc1, &c->a1b2);
secp256k1_num_mul(&bnt2, &bnc2, &c->a2);
secp256k1_num_add(&bnt1, &bnt1, &bnt2);
secp256k1_num_sub(&rn1, &na, &bnt1);
secp256k1_num_mul(&bnt1, &bnc1, &c->b1);
secp256k1_num_mul(&bnt2, &bnc2, &c->a1b2);
secp256k1_num_sub(&rn2, &bnt1, &bnt2);
secp256k1_num_get_bin(b, 32, &rn1); secp256k1_num_get_bin(b, 32, &rn1);
secp256k1_scalar_set_b32(r1, b, NULL); secp256k1_scalar_set_b32(r1, b, NULL);

2
src/secp256k1.c
Unescape View File

@ -21,6 +21,7 @@
void secp256k1_start(unsigned int flags) { void secp256k1_start(unsigned int flags) {
secp256k1_fe_start(); secp256k1_fe_start();
secp256k1_ge_start(); secp256k1_ge_start();
secp256k1_scalar_start();
secp256k1_ecdsa_start(); secp256k1_ecdsa_start();
if (flags & SECP256K1_START_SIGN) { if (flags & SECP256K1_START_SIGN) {
secp256k1_ecmult_gen_start(); secp256k1_ecmult_gen_start();
@ -34,6 +35,7 @@ void secp256k1_stop(void) {
secp256k1_ecmult_stop(); secp256k1_ecmult_stop();
secp256k1_ecmult_gen_stop(); secp256k1_ecmult_gen_stop();
secp256k1_ecdsa_stop(); secp256k1_ecdsa_stop();
secp256k1_scalar_stop();
secp256k1_ge_stop(); secp256k1_ge_stop();
secp256k1_fe_stop(); secp256k1_fe_stop();
} }

Write Preview
Loading…
Cancel
Save