From d7174edf5fd9e7e1bfcd3c7e54271213b0ff9712 Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Wed, 10 Dec 2014 14:52:18 +0100
Subject: [PATCH] Weak normalization for secp256k1_fe_equal

---
 src/field.h            |  4 ++--
 src/field_10x26_impl.h | 12 ------------
 src/field_5x52_impl.h  | 11 -----------
 src/field_impl.h       |  8 ++++++++
 src/group_impl.h       | 35 +++++++++++++----------------------
 src/tests.c            | 10 +++++-----
 6 files changed, 28 insertions(+), 52 deletions(-)

diff --git a/src/field.h b/src/field.h
index 391d97a6d3b..940632f7de8 100644
--- a/src/field.h
+++ b/src/field.h
@@ -63,8 +63,8 @@ static int secp256k1_fe_is_zero(const secp256k1_fe_t *a);
 /** Check the "oddness" of a field element. Requires the input to be normalized. */
 static int secp256k1_fe_is_odd(const secp256k1_fe_t *a);
 
-/** Compare two field elements. Requires both inputs to be normalized */
-static int secp256k1_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b);
+/** Compare two field elements. Requires magnitude-1 inputs. */
+static int secp256k1_fe_equal_var(const secp256k1_fe_t *a, const secp256k1_fe_t *b);
 
 /** Compare two field elements. Requires both inputs to be normalized */
 static int secp256k1_fe_cmp_var(const secp256k1_fe_t *a, const secp256k1_fe_t *b);
diff --git a/src/field_10x26_impl.h b/src/field_10x26_impl.h
index 368e85186a6..71ae7973f78 100644
--- a/src/field_10x26_impl.h
+++ b/src/field_10x26_impl.h
@@ -224,18 +224,6 @@ SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe_t *a) {
     }
 }
 
-SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
-#ifdef VERIFY
-    VERIFY_CHECK(a->normalized);
-    VERIFY_CHECK(b->normalized);
-    secp256k1_fe_verify(a);
-    secp256k1_fe_verify(b);
-#endif
-    const uint32_t *t = a->n, *u = b->n;
-    return ((t[0]^u[0]) | (t[1]^u[1]) | (t[2]^u[2]) | (t[3]^u[3]) | (t[4]^u[4])
-          | (t[5]^u[5]) | (t[6]^u[6]) | (t[7]^u[7]) | (t[8]^u[8]) | (t[9]^u[9])) == 0;
-}
-
 static int secp256k1_fe_cmp_var(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
 #ifdef VERIFY
     VERIFY_CHECK(a->normalized);
diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h
index 74e5ab237a7..27462b8e743 100644
--- a/src/field_5x52_impl.h
+++ b/src/field_5x52_impl.h
@@ -205,17 +205,6 @@ SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe_t *a) {
     }
 }
 
-SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
-#ifdef VERIFY
-    VERIFY_CHECK(a->normalized);
-    VERIFY_CHECK(b->normalized);
-    secp256k1_fe_verify(a);
-    secp256k1_fe_verify(b);
-#endif
-    const uint64_t *t = a->n, *u = b->n;
-    return ((t[0]^u[0]) | (t[1]^u[1]) | (t[2]^u[2]) | (t[3]^u[3]) | (t[4]^u[4])) == 0;
-}
-
 static int secp256k1_fe_cmp_var(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
 #ifdef VERIFY
     VERIFY_CHECK(a->normalized);
diff --git a/src/field_impl.h b/src/field_impl.h
index 37df2e0a64e..abd8fa61013 100644
--- a/src/field_impl.h
+++ b/src/field_impl.h
@@ -64,6 +64,14 @@ static int secp256k1_fe_set_hex(secp256k1_fe_t *r, const char *a, int alen) {
     return secp256k1_fe_set_b32(r, tmp);
 }
 
+SECP256K1_INLINE static int secp256k1_fe_equal_var(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
+    secp256k1_fe_t na;
+    secp256k1_fe_negate(&na, a, 1);
+    secp256k1_fe_add(&na, b);
+    secp256k1_fe_normalize_var(&na);
+    return secp256k1_fe_is_zero(&na);
+}
+
 static int secp256k1_fe_sqrt_var(secp256k1_fe_t *r, const secp256k1_fe_t *a) {
 
     /** The binary representation of (p + 1)/4 has 3 blocks of 1s, with lengths in
diff --git a/src/group_impl.h b/src/group_impl.h
index 82bfd370c6a..45383c0f154 100644
--- a/src/group_impl.h
+++ b/src/group_impl.h
@@ -161,9 +161,9 @@ static int secp256k1_gej_eq_x_var(const secp256k1_fe_t *x, const secp256k1_gej_t
     VERIFY_CHECK(!a->infinity);
     secp256k1_fe_t r; secp256k1_fe_sqr(&r, &a->z); secp256k1_fe_mul(&r, &r, x);
     secp256k1_fe_t r2 = a->x;
-    secp256k1_fe_normalize_var(&r);
-    secp256k1_fe_normalize_var(&r2);
-    return secp256k1_fe_equal(&r, &r2);
+    secp256k1_fe_normalize_weak(&r);
+    secp256k1_fe_normalize_weak(&r2);
+    return secp256k1_fe_equal_var(&r, &r2);
 }
 
 static void secp256k1_gej_neg(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
@@ -193,9 +193,8 @@ static int secp256k1_gej_is_valid_var(const secp256k1_gej_t *a) {
     secp256k1_fe_t z6; secp256k1_fe_sqr(&z6, &z2); secp256k1_fe_mul(&z6, &z6, &z2);
     secp256k1_fe_mul_int(&z6, 7);
     secp256k1_fe_add(&x3, &z6);
-    secp256k1_fe_normalize_var(&y2);
-    secp256k1_fe_normalize_var(&x3);
-    return secp256k1_fe_equal(&y2, &x3);
+    secp256k1_fe_normalize_weak(&x3);
+    return secp256k1_fe_equal_var(&y2, &x3);
 }
 
 static int secp256k1_ge_is_valid_var(const secp256k1_ge_t *a) {
@@ -206,9 +205,8 @@ static int secp256k1_ge_is_valid_var(const secp256k1_ge_t *a) {
     secp256k1_fe_t x3; secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x);
     secp256k1_fe_t c; secp256k1_fe_set_int(&c, 7);
     secp256k1_fe_add(&x3, &c);
-    secp256k1_fe_normalize_var(&y2);
-    secp256k1_fe_normalize_var(&x3);
-    return secp256k1_fe_equal(&y2, &x3);
+    secp256k1_fe_normalize_weak(&x3);
+    return secp256k1_fe_equal_var(&y2, &x3);
 }
 
 static void secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
@@ -259,12 +257,8 @@ static void secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a,
     secp256k1_fe_t u2; secp256k1_fe_mul(&u2, &b->x, &z12);
     secp256k1_fe_t s1; secp256k1_fe_mul(&s1, &a->y, &z22); secp256k1_fe_mul(&s1, &s1, &b->z);
     secp256k1_fe_t s2; secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z);
-    secp256k1_fe_normalize_var(&u1);
-    secp256k1_fe_normalize_var(&u2);
-    if (secp256k1_fe_equal(&u1, &u2)) {
-        secp256k1_fe_normalize_var(&s1);
-        secp256k1_fe_normalize_var(&s2);
-        if (secp256k1_fe_equal(&s1, &s2)) {
+    if (secp256k1_fe_equal_var(&u1, &u2)) {
+        if (secp256k1_fe_equal_var(&s1, &s2)) {
             secp256k1_gej_double_var(r, a);
         } else {
             r->infinity = 1;
@@ -298,15 +292,12 @@ static void secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *
     }
     r->infinity = 0;
     secp256k1_fe_t z12; secp256k1_fe_sqr(&z12, &a->z);
-    secp256k1_fe_t u1 = a->x;
+    secp256k1_fe_t u1 = a->x; secp256k1_fe_normalize_weak(&u1);
     secp256k1_fe_t u2; secp256k1_fe_mul(&u2, &b->x, &z12);
-    secp256k1_fe_t s1 = a->y; secp256k1_fe_normalize_var(&s1);
+    secp256k1_fe_t s1 = a->y; secp256k1_fe_normalize_weak(&s1);
     secp256k1_fe_t s2; secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z);
-    secp256k1_fe_normalize_var(&u1);
-    secp256k1_fe_normalize_var(&u2);
-    if (secp256k1_fe_equal(&u1, &u2)) {
-        secp256k1_fe_normalize_var(&s2);
-        if (secp256k1_fe_equal(&s1, &s2)) {
+    if (secp256k1_fe_equal_var(&u1, &u2)) {
+        if (secp256k1_fe_equal_var(&s1, &s2)) {
             secp256k1_gej_double_var(r, a);
         } else {
             r->infinity = 1;
diff --git a/src/tests.c b/src/tests.c
index 8ba1f28682b..f08b71ba057 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -494,9 +494,9 @@ void random_fe_non_square(secp256k1_fe_t *ns) {
 }
 
 int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
-    secp256k1_fe_t an = *a; secp256k1_fe_normalize(&an);
+    secp256k1_fe_t an = *a; secp256k1_fe_normalize_weak(&an);
     secp256k1_fe_t bn = *b; secp256k1_fe_normalize_var(&bn);
-    return secp256k1_fe_equal(&an, &bn);
+    return secp256k1_fe_equal_var(&an, &bn);
 }
 
 int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
@@ -523,16 +523,16 @@ void run_field_misc(void) {
         random_fe_non_zero(&y);
         /* Test the fe equality and comparison operations. */
         CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
-        CHECK(secp256k1_fe_equal(&x, &x));
+        CHECK(secp256k1_fe_equal_var(&x, &x));
         z = x;
         secp256k1_fe_add(&z,&y);
         secp256k1_fe_normalize(&z);
         /* Test the conditional move. */
         secp256k1_fe_cmov(&z, &x, 0);
-        CHECK(secp256k1_fe_equal(&x, &z) == 0);
+        CHECK(secp256k1_fe_equal_var(&x, &z) == 0);
         CHECK(secp256k1_fe_cmp_var(&x, &z) != 0);
         secp256k1_fe_cmov(&y, &x, 1);
-        CHECK(secp256k1_fe_equal(&x, &y));
+        CHECK(secp256k1_fe_equal_var(&x, &y));
         /* Test that mul_int, mul, and add agree. */
         secp256k1_fe_add(&y, &x);
         secp256k1_fe_add(&y, &x);