From 4285a98722952c18e3f7d8802a86f82b6fce1923 Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Thu, 27 Nov 2014 00:08:52 +0100 Subject: [PATCH] Move lambda-splitting code to scalar. It's not really an operation on group elements. --- src/group.h | 5 ---- src/group_impl.h | 47 ------------------------------- src/scalar.h | 3 ++ src/scalar_impl.h | 72 ++++++++++++++++++++++++++++++++++++++++++++++- src/secp256k1.c | 2 ++ 5 files changed, 76 insertions(+), 53 deletions(-) diff --git a/src/group.h b/src/group.h index ba02549821..1600e96a27 100644 --- a/src/group.h +++ b/src/group.h @@ -34,7 +34,6 @@ typedef struct { #ifdef USE_ENDOMORPHISM /* constants related to secp256k1's efficiently computable endomorphism */ secp256k1_fe_t beta; - secp256k1_num_t lambda, a1b2, b1, a2; #endif } secp256k1_ge_consts_t; @@ -112,10 +111,6 @@ static void secp256k1_gej_get_hex(char *r, int *rlen, const secp256k1_gej_t *a); #ifdef USE_ENDOMORPHISM /** Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. */ static void secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t *a); - -/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (given that a is - not more than 256 bits). */ -static void secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a); #endif /** Clear a secp256k1_gej_t to prevent leaking sensitive information. */ diff --git a/src/group_impl.h b/src/group_impl.h index 93d8583e43..84a87abc83 100644 --- a/src/group_impl.h +++ b/src/group_impl.h @@ -414,30 +414,6 @@ static void secp256k1_gej_mul_lambda(secp256k1_gej_t *r, const secp256k1_gej_t * *r = *a; secp256k1_fe_mul(&r->x, &r->x, beta); } - -static void secp256k1_gej_split_exp_var(secp256k1_num_t *r1, secp256k1_num_t *r2, const secp256k1_num_t *a) { - const secp256k1_ge_consts_t *c = secp256k1_ge_consts; - secp256k1_num_t bnc1, bnc2, bnt1, bnt2, bnn2; - - secp256k1_num_copy(&bnn2, &c->order); - secp256k1_num_shift(&bnn2, 1); - - secp256k1_num_mul(&bnc1, a, &c->a1b2); - secp256k1_num_add(&bnc1, &bnc1, &bnn2); - secp256k1_num_div(&bnc1, &bnc1, &c->order); - - secp256k1_num_mul(&bnc2, a, &c->b1); - secp256k1_num_add(&bnc2, &bnc2, &bnn2); - secp256k1_num_div(&bnc2, &bnc2, &c->order); - - secp256k1_num_mul(&bnt1, &bnc1, &c->a1b2); - secp256k1_num_mul(&bnt2, &bnc2, &c->a2); - secp256k1_num_add(&bnt1, &bnt1, &bnt2); - secp256k1_num_sub(r1, a, &bnt1); - secp256k1_num_mul(&bnt1, &bnc1, &c->b1); - secp256k1_num_mul(&bnt2, &bnc2, &c->a1b2); - secp256k1_num_sub(r2, &bnt1, &bnt2); -} #endif @@ -462,31 +438,12 @@ static void secp256k1_ge_start(void) { }; #ifdef USE_ENDOMORPHISM /* properties of secp256k1's efficiently computable endomorphism */ - static const unsigned char secp256k1_ge_consts_lambda[] = { - 0x53,0x63,0xad,0x4c,0xc0,0x5c,0x30,0xe0, - 0xa5,0x26,0x1c,0x02,0x88,0x12,0x64,0x5a, - 0x12,0x2e,0x22,0xea,0x20,0x81,0x66,0x78, - 0xdf,0x02,0x96,0x7c,0x1b,0x23,0xbd,0x72 - }; static const unsigned char secp256k1_ge_consts_beta[] = { 0x7a,0xe9,0x6a,0x2b,0x65,0x7c,0x07,0x10, 0x6e,0x64,0x47,0x9e,0xac,0x34,0x34,0xe9, 0x9c,0xf0,0x49,0x75,0x12,0xf5,0x89,0x95, 0xc1,0x39,0x6c,0x28,0x71,0x95,0x01,0xee }; - static const unsigned char secp256k1_ge_consts_a1b2[] = { - 0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd, - 0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15 - }; - static const unsigned char secp256k1_ge_consts_b1[] = { - 0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28, - 0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3 - }; - static const unsigned char secp256k1_ge_consts_a2[] = { - 0x01, - 0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3,0xf6, - 0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf,0xd8 - }; #endif if (secp256k1_ge_consts == NULL) { secp256k1_ge_consts_t *ret = (secp256k1_ge_consts_t*)malloc(sizeof(secp256k1_ge_consts_t)); @@ -494,10 +451,6 @@ static void secp256k1_ge_start(void) { secp256k1_num_copy(&ret->half_order, &ret->order); secp256k1_num_shift(&ret->half_order, 1); #ifdef USE_ENDOMORPHISM - secp256k1_num_set_bin(&ret->lambda, secp256k1_ge_consts_lambda, sizeof(secp256k1_ge_consts_lambda)); - secp256k1_num_set_bin(&ret->a1b2, secp256k1_ge_consts_a1b2, sizeof(secp256k1_ge_consts_a1b2)); - secp256k1_num_set_bin(&ret->a2, secp256k1_ge_consts_a2, sizeof(secp256k1_ge_consts_a2)); - secp256k1_num_set_bin(&ret->b1, secp256k1_ge_consts_b1, sizeof(secp256k1_ge_consts_b1)); VERIFY_CHECK(secp256k1_fe_set_b32(&ret->beta, secp256k1_ge_consts_beta)); #endif secp256k1_fe_t g_x, g_y; diff --git a/src/scalar.h b/src/scalar.h index 64058e9c50..4b5d73fdeb 100644 --- a/src/scalar.h +++ b/src/scalar.h @@ -21,6 +21,9 @@ #error "Please select scalar implementation" #endif +static void secp256k1_scalar_start(void); +static void secp256k1_scalar_stop(void); + /** Clear a scalar to prevent the leak of sensitive data. */ static void secp256k1_scalar_clear(secp256k1_scalar_t *r); diff --git a/src/scalar_impl.h b/src/scalar_impl.h index 9f04c59772..dcddf3b413 100644 --- a/src/scalar_impl.h +++ b/src/scalar_impl.h @@ -24,6 +24,54 @@ #error "Please select scalar implementation" #endif +typedef struct { +#ifdef USE_ENDOMORPHISM + secp256k1_num_t a1b2, b1, a2; +#endif +} secp256k1_scalar_consts_t; + +static const secp256k1_scalar_consts_t *secp256k1_scalar_consts = NULL; + +static void secp256k1_scalar_start(void) { + if (secp256k1_scalar_consts != NULL) + return; + + /* Allocate. */ + secp256k1_scalar_consts_t *ret = (secp256k1_scalar_consts_t*)malloc(sizeof(secp256k1_scalar_consts_t)); + +#ifdef USE_ENDOMORPHISM + static const unsigned char secp256k1_scalar_consts_a1b2[] = { + 0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd, + 0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15 + }; + static const unsigned char secp256k1_scalar_consts_b1[] = { + 0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28, + 0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3 + }; + static const unsigned char secp256k1_scalar_consts_a2[] = { + 0x01, + 0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3,0xf6, + 0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf,0xd8 + }; + + secp256k1_num_set_bin(&ret->a1b2, secp256k1_scalar_consts_a1b2, sizeof(secp256k1_scalar_consts_a1b2)); + secp256k1_num_set_bin(&ret->a2, secp256k1_scalar_consts_a2, sizeof(secp256k1_scalar_consts_a2)); + secp256k1_num_set_bin(&ret->b1, secp256k1_scalar_consts_b1, sizeof(secp256k1_scalar_consts_b1)); +#endif + + /* Set the global pointer. */ + secp256k1_scalar_consts = ret; +} + +static void secp256k1_scalar_stop(void) { + if (secp256k1_scalar_consts == NULL) + return; + + secp256k1_scalar_consts_t *c = (secp256k1_scalar_consts_t*)secp256k1_scalar_consts; + secp256k1_scalar_consts = NULL; + free(c); +} + static void secp256k1_scalar_get_num(secp256k1_num_t *r, const secp256k1_scalar_t *a) { unsigned char c[32]; secp256k1_scalar_get_b32(c, a); @@ -206,7 +254,29 @@ static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_ secp256k1_num_set_bin(&na, b, 32); secp256k1_num_t rn1, rn2; - secp256k1_gej_split_exp_var(&rn1, &rn2, &na); + + const secp256k1_scalar_consts_t *c = secp256k1_scalar_consts; + const secp256k1_num_t *order = &secp256k1_ge_consts->order; + secp256k1_num_t bnc1, bnc2, bnt1, bnt2, bnn2; + + secp256k1_num_copy(&bnn2, order); + secp256k1_num_shift(&bnn2, 1); + + secp256k1_num_mul(&bnc1, &na, &c->a1b2); + secp256k1_num_add(&bnc1, &bnc1, &bnn2); + secp256k1_num_div(&bnc1, &bnc1, order); + + secp256k1_num_mul(&bnc2, &na, &c->b1); + secp256k1_num_add(&bnc2, &bnc2, &bnn2); + secp256k1_num_div(&bnc2, &bnc2, order); + + secp256k1_num_mul(&bnt1, &bnc1, &c->a1b2); + secp256k1_num_mul(&bnt2, &bnc2, &c->a2); + secp256k1_num_add(&bnt1, &bnt1, &bnt2); + secp256k1_num_sub(&rn1, &na, &bnt1); + secp256k1_num_mul(&bnt1, &bnc1, &c->b1); + secp256k1_num_mul(&bnt2, &bnc2, &c->a1b2); + secp256k1_num_sub(&rn2, &bnt1, &bnt2); secp256k1_num_get_bin(b, 32, &rn1); secp256k1_scalar_set_b32(r1, b, NULL); diff --git a/src/secp256k1.c b/src/secp256k1.c index c636145054..20fc27df74 100644 --- a/src/secp256k1.c +++ b/src/secp256k1.c @@ -21,6 +21,7 @@ void secp256k1_start(unsigned int flags) { secp256k1_fe_start(); secp256k1_ge_start(); + secp256k1_scalar_start(); secp256k1_ecdsa_start(); if (flags & SECP256K1_START_SIGN) { secp256k1_ecmult_gen_start(); @@ -34,6 +35,7 @@ void secp256k1_stop(void) { secp256k1_ecmult_stop(); secp256k1_ecmult_gen_stop(); secp256k1_ecdsa_stop(); + secp256k1_scalar_stop(); secp256k1_ge_stop(); secp256k1_fe_stop(); }