Merge pull request #201

f735446 Convert the rest of the codebase to C89. (Gregory Maxwell)
This commit is contained in:
Pieter Wuille 2015-01-25 14:22:23 -04:00
commit f0d851ee6a
No known key found for this signature in database
GPG key ID: 57896D2FF8F0B657
15 changed files with 279 additions and 196 deletions

View file

@ -5,7 +5,7 @@ AC_CONFIG_MACRO_DIR([build-aux/m4])
AC_CANONICAL_HOST AC_CANONICAL_HOST
AH_TOP([#ifndef LIBSECP256K1_CONFIG_H]) AH_TOP([#ifndef LIBSECP256K1_CONFIG_H])
AH_TOP([#define LIBSECP256K1_CONFIG_H]) AH_TOP([#define LIBSECP256K1_CONFIG_H])
AH_BOTTOM([#endif //LIBSECP256K1_CONFIG_H]) AH_BOTTOM([#endif /*LIBSECP256K1_CONFIG_H*/])
AM_INIT_AUTOMAKE([foreign subdir-objects]) AM_INIT_AUTOMAKE([foreign subdir-objects])
LT_INIT LT_INIT
@ -22,9 +22,9 @@ if test "x$CFLAGS" = "x"; then
CFLAGS="-O3 -g" CFLAGS="-O3 -g"
fi fi
AC_PROG_CC_C99 AC_PROG_CC_C89
if test x"$ac_cv_prog_cc_c99" = x"no"; then if test x"$ac_cv_prog_cc_c89" = x"no"; then
AC_MSG_ERROR([c99 compiler support required]) AC_MSG_ERROR([c89 compiler support required])
fi fi
case $host in case $host in
@ -70,7 +70,7 @@ esac
CFLAGS="$CFLAGS -W" CFLAGS="$CFLAGS -W"
warn_CFLAGS="-Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wno-unused-function" warn_CFLAGS="-std=c89 -pedantic -Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wno-unused-function -Wno-long-long"
saved_CFLAGS="$CFLAGS" saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $warn_CFLAGS" CFLAGS="$CFLAGS $warn_CFLAGS"
AC_MSG_CHECKING([if ${CC} supports ${warn_CFLAGS}]) AC_MSG_CHECKING([if ${CC} supports ${warn_CFLAGS}])

View file

@ -18,14 +18,16 @@ static double gettimedouble(void) {
} }
void run_benchmark(void (*benchmark)(void*), void (*setup)(void*), void (*teardown)(void*), void* data, int count, int iter) { void run_benchmark(void (*benchmark)(void*), void (*setup)(void*), void (*teardown)(void*), void* data, int count, int iter) {
int i;
double min = HUGE_VAL; double min = HUGE_VAL;
double sum = 0.0; double sum = 0.0;
double max = 0.0; double max = 0.0;
for (int i = 0; i < count; i++) { for (i = 0; i < count; i++) {
double begin, total;
if (setup) setup(data); if (setup) setup(data);
double begin = gettimedouble(); begin = gettimedouble();
benchmark(data); benchmark(data);
double total = gettimedouble() - begin; total = gettimedouble() - begin;
if (teardown) teardown(data); if (teardown) teardown(data);
if (total < min) min = total; if (total < min) min = total;
if (total > max) max = total; if (total > max) max = total;

View file

@ -33,9 +33,10 @@ void bench_inv_setup(void* arg) {
} }
void bench_inv(void* arg) { void bench_inv(void* arg) {
int i;
bench_inv_t *data = (bench_inv_t*)arg; bench_inv_t *data = (bench_inv_t*)arg;
for (int i=0; i<20000; i++) { for (i = 0; i < 20000; i++) {
secp256k1_scalar_inverse(&data->x, &data->x); secp256k1_scalar_inverse(&data->x, &data->x);
secp256k1_scalar_add(&data->x, &data->x, &data->base); secp256k1_scalar_add(&data->x, &data->x, &data->base);
} }

View file

@ -14,13 +14,15 @@ typedef struct {
} bench_recover_t; } bench_recover_t;
void bench_recover(void* arg) { void bench_recover(void* arg) {
int i;
bench_recover_t *data = (bench_recover_t*)arg; bench_recover_t *data = (bench_recover_t*)arg;
unsigned char pubkey[33]; unsigned char pubkey[33];
for (int i=0; i<20000; i++) {
for (i = 0; i < 20000; i++) {
int j;
int pubkeylen = 33; int pubkeylen = 33;
CHECK(secp256k1_ecdsa_recover_compact(data->msg, data->sig, pubkey, &pubkeylen, 1, i % 2)); CHECK(secp256k1_ecdsa_recover_compact(data->msg, data->sig, pubkey, &pubkeylen, 1, i % 2));
for (int j = 0; j < 32; j++) { for (j = 0; j < 32; j++) {
data->sig[j + 32] = data->msg[j]; /* Move former message to S. */ data->sig[j + 32] = data->msg[j]; /* Move former message to S. */
data->msg[j] = data->sig[j]; /* Move former R to message. */ data->msg[j] = data->sig[j]; /* Move former R to message. */
data->sig[j] = pubkey[j + 1]; /* Move recovered pubkey X coordinate to R (which must be a valid X coordinate). */ data->sig[j] = pubkey[j + 1]; /* Move recovered pubkey X coordinate to R (which must be a valid X coordinate). */
@ -29,16 +31,17 @@ void bench_recover(void* arg) {
} }
void bench_recover_setup(void* arg) { void bench_recover_setup(void* arg) {
int i;
bench_recover_t *data = (bench_recover_t*)arg; bench_recover_t *data = (bench_recover_t*)arg;
for (int i = 0; i < 32; i++) data->msg[i] = 1 + i; for (i = 0; i < 32; i++) data->msg[i] = 1 + i;
for (int i = 0; i < 64; i++) data->sig[i] = 65 + i; for (i = 0; i < 64; i++) data->sig[i] = 65 + i;
} }
int main(void) { int main(void) {
bench_recover_t data;
secp256k1_start(SECP256K1_START_VERIFY); secp256k1_start(SECP256K1_START_VERIFY);
bench_recover_t data;
run_benchmark(bench_recover, bench_recover_setup, NULL, &data, 10, 20000); run_benchmark(bench_recover, bench_recover_setup, NULL, &data, 10, 20000);
secp256k1_stop(); secp256k1_stop();

View file

@ -14,20 +14,23 @@ typedef struct {
} bench_sign_t; } bench_sign_t;
static void bench_sign_setup(void* arg) { static void bench_sign_setup(void* arg) {
int i;
bench_sign_t *data = (bench_sign_t*)arg; bench_sign_t *data = (bench_sign_t*)arg;
for (int i = 0; i < 32; i++) data->msg[i] = i + 1; for (i = 0; i < 32; i++) data->msg[i] = i + 1;
for (int i = 0; i < 32; i++) data->key[i] = i + 65; for (i = 0; i < 32; i++) data->key[i] = i + 65;
} }
static void bench_sign(void* arg) { static void bench_sign(void* arg) {
int i;
bench_sign_t *data = (bench_sign_t*)arg; bench_sign_t *data = (bench_sign_t*)arg;
unsigned char sig[64]; unsigned char sig[64];
for (int i=0; i<20000; i++) { for (i = 0; i < 20000; i++) {
int j;
int recid = 0; int recid = 0;
CHECK(secp256k1_ecdsa_sign_compact(data->msg, sig, data->key, NULL, NULL, &recid)); CHECK(secp256k1_ecdsa_sign_compact(data->msg, sig, data->key, NULL, NULL, &recid));
for (int j = 0; j < 32; j++) { for (j = 0; j < 32; j++) {
data->msg[j] = sig[j]; /* Move former R to message. */ data->msg[j] = sig[j]; /* Move former R to message. */
data->key[j] = sig[j + 32]; /* Move former S to key. */ data->key[j] = sig[j + 32]; /* Move former S to key. */
} }
@ -35,9 +38,9 @@ static void bench_sign(void* arg) {
} }
int main(void) { int main(void) {
bench_sign_t data;
secp256k1_start(SECP256K1_START_SIGN); secp256k1_start(SECP256K1_START_SIGN);
bench_sign_t data;
run_benchmark(bench_sign, bench_sign_setup, NULL, &data, 10, 20000); run_benchmark(bench_sign, bench_sign_setup, NULL, &data, 10, 20000);
secp256k1_stop(); secp256k1_stop();

View file

@ -21,9 +21,10 @@ typedef struct {
} benchmark_verify_t; } benchmark_verify_t;
static void benchmark_verify(void* arg) { static void benchmark_verify(void* arg) {
int i;
benchmark_verify_t* data = (benchmark_verify_t*)arg; benchmark_verify_t* data = (benchmark_verify_t*)arg;
for (int i=0; i<20000; i++) { for (i = 0; i < 20000; i++) {
data->sig[data->siglen - 1] ^= (i & 0xFF); data->sig[data->siglen - 1] ^= (i & 0xFF);
data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF); data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF);
data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF); data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF);
@ -35,12 +36,13 @@ static void benchmark_verify(void* arg) {
} }
int main(void) { int main(void) {
secp256k1_start(SECP256K1_START_VERIFY | SECP256K1_START_SIGN); int i;
benchmark_verify_t data; benchmark_verify_t data;
for (int i = 0; i < 32; i++) data.msg[i] = 1 + i; secp256k1_start(SECP256K1_START_VERIFY | SECP256K1_START_SIGN);
for (int i = 0; i < 32; i++) data.key[i] = 33 + i;
for (i = 0; i < 32; i++) data.msg[i] = 1 + i;
for (i = 0; i < 32; i++) data.key[i] = 33 + i;
data.siglen = 72; data.siglen = 72;
secp256k1_ecdsa_sign(data.msg, data.sig, &data.siglen, data.key, NULL, NULL); secp256k1_ecdsa_sign(data.msg, data.sig, &data.siglen, data.key, NULL, NULL);
data.pubkeylen = 33; data.pubkeylen = 33;

View file

@ -30,22 +30,26 @@ typedef struct {
static const secp256k1_ecmult_gen_consts_t *secp256k1_ecmult_gen_consts = NULL; static const secp256k1_ecmult_gen_consts_t *secp256k1_ecmult_gen_consts = NULL;
static void secp256k1_ecmult_gen_start(void) { static void secp256k1_ecmult_gen_start(void) {
secp256k1_ge_t prec[1024];
secp256k1_gej_t gj;
secp256k1_gej_t nums_gej;
secp256k1_ecmult_gen_consts_t *ret;
int i, j;
if (secp256k1_ecmult_gen_consts != NULL) if (secp256k1_ecmult_gen_consts != NULL)
return; return;
/* Allocate the precomputation table. */ /* Allocate the precomputation table. */
secp256k1_ecmult_gen_consts_t *ret = (secp256k1_ecmult_gen_consts_t*)checked_malloc(sizeof(secp256k1_ecmult_gen_consts_t)); ret = (secp256k1_ecmult_gen_consts_t*)checked_malloc(sizeof(secp256k1_ecmult_gen_consts_t));
/* get the generator */ /* get the generator */
secp256k1_gej_t gj; secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
/* Construct a group element with no known corresponding scalar (nothing up my sleeve). */ /* Construct a group element with no known corresponding scalar (nothing up my sleeve). */
secp256k1_gej_t nums_gej;
{ {
static const unsigned char nums_b32[32] = "The scalar for this x is unknown"; static const unsigned char nums_b32[32] = "The scalar for this x is unknown";
secp256k1_fe_t nums_x; secp256k1_fe_t nums_x;
VERIFY_CHECK(secp256k1_fe_set_b32(&nums_x, nums_b32));
secp256k1_ge_t nums_ge; secp256k1_ge_t nums_ge;
VERIFY_CHECK(secp256k1_fe_set_b32(&nums_x, nums_b32));
VERIFY_CHECK(secp256k1_ge_set_xo_var(&nums_ge, &nums_x, 0)); VERIFY_CHECK(secp256k1_ge_set_xo_var(&nums_ge, &nums_x, 0));
secp256k1_gej_set_ge(&nums_gej, &nums_ge); secp256k1_gej_set_ge(&nums_gej, &nums_ge);
/* Add G to make the bits in x uniformly distributed. */ /* Add G to make the bits in x uniformly distributed. */
@ -53,19 +57,20 @@ static void secp256k1_ecmult_gen_start(void) {
} }
/* compute prec. */ /* compute prec. */
secp256k1_ge_t prec[1024];
{ {
secp256k1_gej_t precj[1024]; /* Jacobian versions of prec. */ secp256k1_gej_t precj[1024]; /* Jacobian versions of prec. */
secp256k1_gej_t gbase; gbase = gj; /* 16^j * G */ secp256k1_gej_t gbase;
secp256k1_gej_t numsbase; numsbase = nums_gej; /* 2^j * nums. */ secp256k1_gej_t numsbase;
for (int j=0; j<64; j++) { gbase = gj; /* 16^j * G */
numsbase = nums_gej; /* 2^j * nums. */
for (j = 0; j < 64; j++) {
/* Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase). */ /* Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase). */
precj[j*16] = numsbase; precj[j*16] = numsbase;
for (int i=1; i<16; i++) { for (i = 1; i < 16; i++) {
secp256k1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase); secp256k1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase);
} }
/* Multiply gbase by 16. */ /* Multiply gbase by 16. */
for (int i=0; i<4; i++) { for (i = 0; i < 4; i++) {
secp256k1_gej_double_var(&gbase, &gbase); secp256k1_gej_double_var(&gbase, &gbase);
} }
/* Multiply numbase by 2. */ /* Multiply numbase by 2. */
@ -78,8 +83,8 @@ static void secp256k1_ecmult_gen_start(void) {
} }
secp256k1_ge_set_all_gej_var(1024, prec, precj); secp256k1_ge_set_all_gej_var(1024, prec, precj);
} }
for (int j=0; j<64; j++) { for (j = 0; j < 64; j++) {
for (int i=0; i<16; i++) { for (i = 0; i < 16; i++) {
secp256k1_ge_to_storage(&ret->prec[j][i], &prec[j*16 + i]); secp256k1_ge_to_storage(&ret->prec[j][i], &prec[j*16 + i]);
} }
} }
@ -89,10 +94,11 @@ static void secp256k1_ecmult_gen_start(void) {
} }
static void secp256k1_ecmult_gen_stop(void) { static void secp256k1_ecmult_gen_stop(void) {
secp256k1_ecmult_gen_consts_t *c;
if (secp256k1_ecmult_gen_consts == NULL) if (secp256k1_ecmult_gen_consts == NULL)
return; return;
secp256k1_ecmult_gen_consts_t *c = (secp256k1_ecmult_gen_consts_t*)secp256k1_ecmult_gen_consts; c = (secp256k1_ecmult_gen_consts_t*)secp256k1_ecmult_gen_consts;
secp256k1_ecmult_gen_consts = NULL; secp256k1_ecmult_gen_consts = NULL;
free(c); free(c);
} }
@ -101,12 +107,13 @@ static void secp256k1_ecmult_gen(secp256k1_gej_t *r, const secp256k1_scalar_t *g
const secp256k1_ecmult_gen_consts_t *c = secp256k1_ecmult_gen_consts; const secp256k1_ecmult_gen_consts_t *c = secp256k1_ecmult_gen_consts;
secp256k1_ge_t add; secp256k1_ge_t add;
secp256k1_ge_storage_t adds; secp256k1_ge_storage_t adds;
int bits;
int i, j;
secp256k1_gej_set_infinity(r); secp256k1_gej_set_infinity(r);
add.infinity = 0; add.infinity = 0;
int bits; for (j = 0; j < 64; j++) {
for (int j=0; j<64; j++) {
bits = secp256k1_scalar_get_bits(gn, j * 4, 4); bits = secp256k1_scalar_get_bits(gn, j * 4, 4);
for (int i=0; i<16; i++) { for (i = 0; i < 16; i++) {
secp256k1_ge_storage_cmov(&adds, &c->prec[j][i], i == bits); secp256k1_ge_storage_cmov(&adds, &c->prec[j][i], i == bits);
} }
secp256k1_ge_from_storage(&add, &adds); secp256k1_ge_from_storage(&add, &adds);

View file

@ -37,23 +37,27 @@
* G is constant, so it only needs to be done once in advance. * G is constant, so it only needs to be done once in advance.
*/ */
static void secp256k1_ecmult_table_precomp_gej_var(secp256k1_gej_t *pre, const secp256k1_gej_t *a, int w) { static void secp256k1_ecmult_table_precomp_gej_var(secp256k1_gej_t *pre, const secp256k1_gej_t *a, int w) {
secp256k1_gej_t d;
int i;
pre[0] = *a; pre[0] = *a;
secp256k1_gej_t d; secp256k1_gej_double_var(&d, &pre[0]); secp256k1_gej_double_var(&d, &pre[0]);
for (int i=1; i<(1 << (w-2)); i++) for (i = 1; i < (1 << (w-2)); i++)
secp256k1_gej_add_var(&pre[i], &d, &pre[i-1]); secp256k1_gej_add_var(&pre[i], &d, &pre[i-1]);
} }
static void secp256k1_ecmult_table_precomp_ge_storage_var(secp256k1_ge_storage_t *pre, const secp256k1_gej_t *a, int w) { static void secp256k1_ecmult_table_precomp_ge_storage_var(secp256k1_ge_storage_t *pre, const secp256k1_gej_t *a, int w) {
secp256k1_gej_t d;
int i;
const int table_size = 1 << (w-2); const int table_size = 1 << (w-2);
secp256k1_gej_t *prej = checked_malloc(sizeof(secp256k1_gej_t) * table_size); secp256k1_gej_t *prej = checked_malloc(sizeof(secp256k1_gej_t) * table_size);
secp256k1_ge_t *prea = checked_malloc(sizeof(secp256k1_ge_t) * table_size); secp256k1_ge_t *prea = checked_malloc(sizeof(secp256k1_ge_t) * table_size);
prej[0] = *a; prej[0] = *a;
secp256k1_gej_t d; secp256k1_gej_double_var(&d, a); secp256k1_gej_double_var(&d, a);
for (int i=1; i<table_size; i++) { for (i = 1; i < table_size; i++) {
secp256k1_gej_add_var(&prej[i], &d, &prej[i-1]); secp256k1_gej_add_var(&prej[i], &d, &prej[i-1]);
} }
secp256k1_ge_set_all_gej_var(table_size, prea, prej); secp256k1_ge_set_all_gej_var(table_size, prea, prej);
for (int i=0; i<table_size; i++) { for (i = 0; i < table_size; i++) {
secp256k1_ge_to_storage(&pre[i], &prea[i]); secp256k1_ge_to_storage(&pre[i], &prea[i]);
} }
free(prej); free(prej);
@ -97,26 +101,31 @@ typedef struct {
static const secp256k1_ecmult_consts_t *secp256k1_ecmult_consts = NULL; static const secp256k1_ecmult_consts_t *secp256k1_ecmult_consts = NULL;
static void secp256k1_ecmult_start(void) { static void secp256k1_ecmult_start(void) {
secp256k1_gej_t gj;
secp256k1_ecmult_consts_t *ret;
if (secp256k1_ecmult_consts != NULL) if (secp256k1_ecmult_consts != NULL)
return; return;
/* Allocate the precomputation table. */ /* Allocate the precomputation table. */
secp256k1_ecmult_consts_t *ret = (secp256k1_ecmult_consts_t*)checked_malloc(sizeof(secp256k1_ecmult_consts_t)); ret = (secp256k1_ecmult_consts_t*)checked_malloc(sizeof(secp256k1_ecmult_consts_t));
/* get the generator */ /* get the generator */
secp256k1_gej_t gj; secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
#ifdef USE_ENDOMORPHISM
/* calculate 2^128*generator */
secp256k1_gej_t g_128j = gj;
for (int i=0; i<128; i++)
secp256k1_gej_double_var(&g_128j, &g_128j);
#endif
/* precompute the tables with odd multiples */ /* precompute the tables with odd multiples */
secp256k1_ecmult_table_precomp_ge_storage_var(ret->pre_g, &gj, WINDOW_G); secp256k1_ecmult_table_precomp_ge_storage_var(ret->pre_g, &gj, WINDOW_G);
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
secp256k1_ecmult_table_precomp_ge_storage_var(ret->pre_g_128, &g_128j, WINDOW_G); {
secp256k1_gej_t g_128j;
int i;
/* calculate 2^128*generator */
g_128j = gj;
for (i = 0; i < 128; i++)
secp256k1_gej_double_var(&g_128j, &g_128j);
secp256k1_ecmult_table_precomp_ge_storage_var(ret->pre_g_128, &g_128j, WINDOW_G);
}
#endif #endif
/* Set the global pointer to the precomputation table. */ /* Set the global pointer to the precomputation table. */
@ -124,10 +133,11 @@ static void secp256k1_ecmult_start(void) {
} }
static void secp256k1_ecmult_stop(void) { static void secp256k1_ecmult_stop(void) {
secp256k1_ecmult_consts_t *c;
if (secp256k1_ecmult_consts == NULL) if (secp256k1_ecmult_consts == NULL)
return; return;
secp256k1_ecmult_consts_t *c = (secp256k1_ecmult_consts_t*)secp256k1_ecmult_consts; c = (secp256k1_ecmult_consts_t*)secp256k1_ecmult_consts;
secp256k1_ecmult_consts = NULL; secp256k1_ecmult_consts = NULL;
free(c); free(c);
} }
@ -141,16 +151,18 @@ static void secp256k1_ecmult_stop(void) {
*/ */
static int secp256k1_ecmult_wnaf(int *wnaf, const secp256k1_scalar_t *a, int w) { static int secp256k1_ecmult_wnaf(int *wnaf, const secp256k1_scalar_t *a, int w) {
secp256k1_scalar_t s = *a; secp256k1_scalar_t s = *a;
int set_bits = 0;
int bit = 0;
int sign = 1; int sign = 1;
if (secp256k1_scalar_get_bits(&s, 255, 1)) { if (secp256k1_scalar_get_bits(&s, 255, 1)) {
secp256k1_scalar_negate(&s, &s); secp256k1_scalar_negate(&s, &s);
sign = -1; sign = -1;
} }
int set_bits = 0;
int bit = 0;
while (bit < 256) { while (bit < 256) {
int now;
int word;
if (secp256k1_scalar_get_bits(&s, bit, 1) == 0) { if (secp256k1_scalar_get_bits(&s, bit, 1) == 0) {
bit++; bit++;
continue; continue;
@ -158,11 +170,11 @@ static int secp256k1_ecmult_wnaf(int *wnaf, const secp256k1_scalar_t *a, int w)
while (set_bits < bit) { while (set_bits < bit) {
wnaf[set_bits++] = 0; wnaf[set_bits++] = 0;
} }
int now = w; now = w;
if (bit + now > 256) { if (bit + now > 256) {
now = 256 - bit; now = 256 - bit;
} }
int word = secp256k1_scalar_get_bits_var(&s, bit, now); word = secp256k1_scalar_get_bits_var(&s, bit, now);
if (word & (1 << (w-1))) { if (word & (1 << (w-1))) {
secp256k1_scalar_add_bit(&s, bit + w); secp256k1_scalar_add_bit(&s, bit + w);
wnaf[set_bits++] = sign * (word - (1 << w)); wnaf[set_bits++] = sign * (word - (1 << w));
@ -175,58 +187,74 @@ static int secp256k1_ecmult_wnaf(int *wnaf, const secp256k1_scalar_t *a, int w)
} }
static void secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_scalar_t *na, const secp256k1_scalar_t *ng) { static void secp256k1_ecmult(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_scalar_t *na, const secp256k1_scalar_t *ng) {
secp256k1_gej_t tmpj;
secp256k1_gej_t pre_a[ECMULT_TABLE_SIZE(WINDOW_A)];
secp256k1_ge_t tmpa;
const secp256k1_ecmult_consts_t *c = secp256k1_ecmult_consts; const secp256k1_ecmult_consts_t *c = secp256k1_ecmult_consts;
#ifdef USE_ENDOMORPHISM
secp256k1_gej_t pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)];
secp256k1_scalar_t na_1, na_lam;
/* Splitted G factors. */
secp256k1_scalar_t ng_1, ng_128;
int wnaf_na_1[130];
int wnaf_na_lam[130];
int bits_na_1;
int bits_na_lam;
int wnaf_ng_1[129];
int bits_ng_1;
int wnaf_ng_128[129];
int bits_ng_128;
#else
int wnaf_na[256];
int bits_na;
int wnaf_ng[257];
int bits_ng;
#endif
int i;
int bits;
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
secp256k1_scalar_t na_1, na_lam;
/* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */ /* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */
secp256k1_scalar_split_lambda_var(&na_1, &na_lam, na); secp256k1_scalar_split_lambda_var(&na_1, &na_lam, na);
/* build wnaf representation for na_1 and na_lam. */ /* build wnaf representation for na_1 and na_lam. */
int wnaf_na_1[130]; int bits_na_1 = secp256k1_ecmult_wnaf(wnaf_na_1, &na_1, WINDOW_A); bits_na_1 = secp256k1_ecmult_wnaf(wnaf_na_1, &na_1, WINDOW_A);
int wnaf_na_lam[130]; int bits_na_lam = secp256k1_ecmult_wnaf(wnaf_na_lam, &na_lam, WINDOW_A); bits_na_lam = secp256k1_ecmult_wnaf(wnaf_na_lam, &na_lam, WINDOW_A);
VERIFY_CHECK(bits_na_1 <= 130); VERIFY_CHECK(bits_na_1 <= 130);
VERIFY_CHECK(bits_na_lam <= 130); VERIFY_CHECK(bits_na_lam <= 130);
int bits = bits_na_1; bits = bits_na_1;
if (bits_na_lam > bits) bits = bits_na_lam; if (bits_na_lam > bits) bits = bits_na_lam;
#else #else
/* build wnaf representation for na. */ /* build wnaf representation for na. */
int wnaf_na[256]; int bits_na = secp256k1_ecmult_wnaf(wnaf_na, na, WINDOW_A); bits_na = secp256k1_ecmult_wnaf(wnaf_na, na, WINDOW_A);
int bits = bits_na; bits = bits_na;
#endif #endif
/* calculate odd multiples of a */ /* calculate odd multiples of a */
secp256k1_gej_t pre_a[ECMULT_TABLE_SIZE(WINDOW_A)];
secp256k1_ecmult_table_precomp_gej_var(pre_a, a, WINDOW_A); secp256k1_ecmult_table_precomp_gej_var(pre_a, a, WINDOW_A);
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
secp256k1_gej_t pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++)
for (int i=0; i<ECMULT_TABLE_SIZE(WINDOW_A); i++)
secp256k1_gej_mul_lambda(&pre_a_lam[i], &pre_a[i]); secp256k1_gej_mul_lambda(&pre_a_lam[i], &pre_a[i]);
/* Splitted G factors. */
secp256k1_scalar_t ng_1, ng_128;
/* split ng into ng_1 and ng_128 (where gn = gn_1 + gn_128*2^128, and gn_1 and gn_128 are ~128 bit) */ /* split ng into ng_1 and ng_128 (where gn = gn_1 + gn_128*2^128, and gn_1 and gn_128 are ~128 bit) */
secp256k1_scalar_split_128(&ng_1, &ng_128, ng); secp256k1_scalar_split_128(&ng_1, &ng_128, ng);
/* Build wnaf representation for ng_1 and ng_128 */ /* Build wnaf representation for ng_1 and ng_128 */
int wnaf_ng_1[129]; int bits_ng_1 = secp256k1_ecmult_wnaf(wnaf_ng_1, &ng_1, WINDOW_G); bits_ng_1 = secp256k1_ecmult_wnaf(wnaf_ng_1, &ng_1, WINDOW_G);
int wnaf_ng_128[129]; int bits_ng_128 = secp256k1_ecmult_wnaf(wnaf_ng_128, &ng_128, WINDOW_G); bits_ng_128 = secp256k1_ecmult_wnaf(wnaf_ng_128, &ng_128, WINDOW_G);
if (bits_ng_1 > bits) bits = bits_ng_1; if (bits_ng_1 > bits) bits = bits_ng_1;
if (bits_ng_128 > bits) bits = bits_ng_128; if (bits_ng_128 > bits) bits = bits_ng_128;
#else #else
int wnaf_ng[257]; int bits_ng = secp256k1_ecmult_wnaf(wnaf_ng, ng, WINDOW_G); bits_ng = secp256k1_ecmult_wnaf(wnaf_ng, ng, WINDOW_G);
if (bits_ng > bits) bits = bits_ng; if (bits_ng > bits) bits = bits_ng;
#endif #endif
secp256k1_gej_set_infinity(r); secp256k1_gej_set_infinity(r);
secp256k1_gej_t tmpj;
secp256k1_ge_t tmpa;
for (int i=bits-1; i>=0; i--) { for (i = bits-1; i >= 0; i--) {
secp256k1_gej_double_var(r, r);
int n; int n;
secp256k1_gej_double_var(r, r);
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
if (i < bits_na_1 && (n = wnaf_na_1[i])) { if (i < bits_na_1 && (n = wnaf_na_1[i])) {
ECMULT_TABLE_GET_GEJ(&tmpj, pre_a, n, WINDOW_A); ECMULT_TABLE_GET_GEJ(&tmpj, pre_a, n, WINDOW_A);

View file

@ -398,7 +398,7 @@ static void secp256k1_fe_sqr(secp256k1_fe_t *r, const secp256k1_fe_t *a) {
#endif #endif
} }
static inline void secp256k1_fe_storage_cmov(secp256k1_fe_storage_t *r, const secp256k1_fe_storage_t *a, int flag) { static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage_t *r, const secp256k1_fe_storage_t *a, int flag) {
uint64_t mask0 = flag + ~((uint64_t)0), mask1 = ~mask0; uint64_t mask0 = flag + ~((uint64_t)0), mask1 = ~mask0;
r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1); r->n[1] = (r->n[1] & mask0) | (a->n[1] & mask1);
@ -416,7 +416,7 @@ static void secp256k1_fe_to_storage(secp256k1_fe_storage_t *r, const secp256k1_f
r->n[3] = a->n[3] >> 36 | a->n[4] << 16; r->n[3] = a->n[3] >> 36 | a->n[4] << 16;
} }
static inline void secp256k1_fe_from_storage(secp256k1_fe_t *r, const secp256k1_fe_storage_t *a) { static SECP256K1_INLINE void secp256k1_fe_from_storage(secp256k1_fe_t *r, const secp256k1_fe_storage_t *a) {
r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL; r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL;
r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL); r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL);
r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL); r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL);

View file

@ -54,10 +54,11 @@ static void secp256k1_ge_get_hex(char *r131, const secp256k1_ge_t *a) {
} }
static void secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a) { static void secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a) {
secp256k1_fe_t z2, z3;
r->infinity = a->infinity; r->infinity = a->infinity;
secp256k1_fe_inv(&a->z, &a->z); secp256k1_fe_inv(&a->z, &a->z);
secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &a->z); secp256k1_fe_sqr(&z2, &a->z);
secp256k1_fe_t z3; secp256k1_fe_mul(&z3, &a->z, &z2); secp256k1_fe_mul(&z3, &a->z, &z2);
secp256k1_fe_mul(&a->x, &a->x, &z2); secp256k1_fe_mul(&a->x, &a->x, &z2);
secp256k1_fe_mul(&a->y, &a->y, &z3); secp256k1_fe_mul(&a->y, &a->y, &z3);
secp256k1_fe_set_int(&a->z, 1); secp256k1_fe_set_int(&a->z, 1);
@ -66,13 +67,14 @@ static void secp256k1_ge_set_gej(secp256k1_ge_t *r, secp256k1_gej_t *a) {
} }
static void secp256k1_ge_set_gej_var(secp256k1_ge_t *r, secp256k1_gej_t *a) { static void secp256k1_ge_set_gej_var(secp256k1_ge_t *r, secp256k1_gej_t *a) {
secp256k1_fe_t z2, z3;
r->infinity = a->infinity; r->infinity = a->infinity;
if (a->infinity) { if (a->infinity) {
return; return;
} }
secp256k1_fe_inv_var(&a->z, &a->z); secp256k1_fe_inv_var(&a->z, &a->z);
secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &a->z); secp256k1_fe_sqr(&z2, &a->z);
secp256k1_fe_t z3; secp256k1_fe_mul(&z3, &a->z, &z2); secp256k1_fe_mul(&z3, &a->z, &z2);
secp256k1_fe_mul(&a->x, &a->x, &z2); secp256k1_fe_mul(&a->x, &a->x, &z2);
secp256k1_fe_mul(&a->y, &a->y, &z3); secp256k1_fe_mul(&a->y, &a->y, &z3);
secp256k1_fe_set_int(&a->z, 1); secp256k1_fe_set_int(&a->z, 1);
@ -81,25 +83,29 @@ static void secp256k1_ge_set_gej_var(secp256k1_ge_t *r, secp256k1_gej_t *a) {
} }
static void secp256k1_ge_set_all_gej_var(size_t len, secp256k1_ge_t *r, const secp256k1_gej_t *a) { static void secp256k1_ge_set_all_gej_var(size_t len, secp256k1_ge_t *r, const secp256k1_gej_t *a) {
secp256k1_fe_t *az;
secp256k1_fe_t *azi;
size_t i;
size_t count = 0; size_t count = 0;
secp256k1_fe_t *az = checked_malloc(sizeof(secp256k1_fe_t) * len); az = checked_malloc(sizeof(secp256k1_fe_t) * len);
for (size_t i=0; i<len; i++) { for (i = 0; i < len; i++) {
if (!a[i].infinity) { if (!a[i].infinity) {
az[count++] = a[i].z; az[count++] = a[i].z;
} }
} }
secp256k1_fe_t *azi = checked_malloc(sizeof(secp256k1_fe_t) * count); azi = checked_malloc(sizeof(secp256k1_fe_t) * count);
secp256k1_fe_inv_all_var(count, azi, az); secp256k1_fe_inv_all_var(count, azi, az);
free(az); free(az);
count = 0; count = 0;
for (size_t i=0; i<len; i++) { for (i = 0; i < len; i++) {
r[i].infinity = a[i].infinity; r[i].infinity = a[i].infinity;
if (!a[i].infinity) { if (!a[i].infinity) {
secp256k1_fe_t zi2, zi3;
secp256k1_fe_t *zi = &azi[count++]; secp256k1_fe_t *zi = &azi[count++];
secp256k1_fe_t zi2; secp256k1_fe_sqr(&zi2, zi); secp256k1_fe_sqr(&zi2, zi);
secp256k1_fe_t zi3; secp256k1_fe_mul(&zi3, &zi2, zi); secp256k1_fe_mul(&zi3, &zi2, zi);
secp256k1_fe_mul(&r[i].x, &a[i].x, &zi2); secp256k1_fe_mul(&r[i].x, &a[i].x, &zi2);
secp256k1_fe_mul(&r[i].y, &a[i].y, &zi3); secp256k1_fe_mul(&r[i].y, &a[i].y, &zi3);
} }
@ -135,11 +141,12 @@ static void secp256k1_ge_clear(secp256k1_ge_t *r) {
} }
static int secp256k1_ge_set_xo_var(secp256k1_ge_t *r, const secp256k1_fe_t *x, int odd) { static int secp256k1_ge_set_xo_var(secp256k1_ge_t *r, const secp256k1_fe_t *x, int odd) {
secp256k1_fe_t x2, x3, c;
r->x = *x; r->x = *x;
secp256k1_fe_t x2; secp256k1_fe_sqr(&x2, x); secp256k1_fe_sqr(&x2, x);
secp256k1_fe_t x3; secp256k1_fe_mul(&x3, x, &x2); secp256k1_fe_mul(&x3, x, &x2);
r->infinity = 0; r->infinity = 0;
secp256k1_fe_t c; secp256k1_fe_set_int(&c, 7); secp256k1_fe_set_int(&c, 7);
secp256k1_fe_add(&c, &x3); secp256k1_fe_add(&c, &x3);
if (!secp256k1_fe_sqrt_var(&r->y, &c)) if (!secp256k1_fe_sqrt_var(&r->y, &c))
return 0; return 0;
@ -157,9 +164,10 @@ static void secp256k1_gej_set_ge(secp256k1_gej_t *r, const secp256k1_ge_t *a) {
} }
static int secp256k1_gej_eq_x_var(const secp256k1_fe_t *x, const secp256k1_gej_t *a) { static int secp256k1_gej_eq_x_var(const secp256k1_fe_t *x, const secp256k1_gej_t *a) {
secp256k1_fe_t r, r2;
VERIFY_CHECK(!a->infinity); VERIFY_CHECK(!a->infinity);
secp256k1_fe_t r; secp256k1_fe_sqr(&r, &a->z); secp256k1_fe_mul(&r, &r, x); secp256k1_fe_sqr(&r, &a->z); secp256k1_fe_mul(&r, &r, x);
secp256k1_fe_t r2 = a->x; secp256k1_fe_normalize_weak(&r2); r2 = a->x; secp256k1_fe_normalize_weak(&r2);
return secp256k1_fe_equal_var(&r, &r2); return secp256k1_fe_equal_var(&r, &r2);
} }
@ -177,6 +185,7 @@ static int secp256k1_gej_is_infinity(const secp256k1_gej_t *a) {
} }
static int secp256k1_gej_is_valid_var(const secp256k1_gej_t *a) { static int secp256k1_gej_is_valid_var(const secp256k1_gej_t *a) {
secp256k1_fe_t y2, x3, z2, z6;
if (a->infinity) if (a->infinity)
return 0; return 0;
/** y^2 = x^3 + 7 /** y^2 = x^3 + 7
@ -184,10 +193,10 @@ static int secp256k1_gej_is_valid_var(const secp256k1_gej_t *a) {
* Y^2 / Z^6 = X^3 / Z^6 + 7 * Y^2 / Z^6 = X^3 / Z^6 + 7
* Y^2 = X^3 + 7*Z^6 * Y^2 = X^3 + 7*Z^6
*/ */
secp256k1_fe_t y2; secp256k1_fe_sqr(&y2, &a->y); secp256k1_fe_sqr(&y2, &a->y);
secp256k1_fe_t x3; secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x); secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x);
secp256k1_fe_t z2; secp256k1_fe_sqr(&z2, &a->z); secp256k1_fe_sqr(&z2, &a->z);
secp256k1_fe_t z6; secp256k1_fe_sqr(&z6, &z2); secp256k1_fe_mul(&z6, &z6, &z2); secp256k1_fe_sqr(&z6, &z2); secp256k1_fe_mul(&z6, &z6, &z2);
secp256k1_fe_mul_int(&z6, 7); secp256k1_fe_mul_int(&z6, 7);
secp256k1_fe_add(&x3, &z6); secp256k1_fe_add(&x3, &z6);
secp256k1_fe_normalize_weak(&x3); secp256k1_fe_normalize_weak(&x3);
@ -195,18 +204,20 @@ static int secp256k1_gej_is_valid_var(const secp256k1_gej_t *a) {
} }
static int secp256k1_ge_is_valid_var(const secp256k1_ge_t *a) { static int secp256k1_ge_is_valid_var(const secp256k1_ge_t *a) {
secp256k1_fe_t y2, x3, c;
if (a->infinity) if (a->infinity)
return 0; return 0;
/* y^2 = x^3 + 7 */ /* y^2 = x^3 + 7 */
secp256k1_fe_t y2; secp256k1_fe_sqr(&y2, &a->y); secp256k1_fe_sqr(&y2, &a->y);
secp256k1_fe_t x3; secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x); secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x);
secp256k1_fe_t c; secp256k1_fe_set_int(&c, 7); secp256k1_fe_set_int(&c, 7);
secp256k1_fe_add(&x3, &c); secp256k1_fe_add(&x3, &c);
secp256k1_fe_normalize_weak(&x3); secp256k1_fe_normalize_weak(&x3);
return secp256k1_fe_equal_var(&y2, &x3); return secp256k1_fe_equal_var(&y2, &x3);
} }
static void secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a) { static void secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *a) {
secp256k1_fe_t t1,t2,t3,t4;
/** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity, /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity,
* Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have * Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have
* y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p. * y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p.
@ -216,7 +227,6 @@ static void secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *
return; return;
} }
secp256k1_fe_t t1,t2,t3,t4;
secp256k1_fe_mul(&r->z, &a->z, &a->y); secp256k1_fe_mul(&r->z, &a->z, &a->y);
secp256k1_fe_mul_int(&r->z, 2); /* Z' = 2*Y*Z (2) */ secp256k1_fe_mul_int(&r->z, 2); /* Z' = 2*Y*Z (2) */
secp256k1_fe_sqr(&t1, &a->x); secp256k1_fe_sqr(&t1, &a->x);
@ -240,6 +250,7 @@ static void secp256k1_gej_double_var(secp256k1_gej_t *r, const secp256k1_gej_t *
} }
static void secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b) { static void secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
secp256k1_fe_t z22, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t;
if (a->infinity) { if (a->infinity) {
*r = *b; *r = *b;
return; return;
@ -249,14 +260,14 @@ static void secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a,
return; return;
} }
r->infinity = 0; r->infinity = 0;
secp256k1_fe_t z22; secp256k1_fe_sqr(&z22, &b->z); secp256k1_fe_sqr(&z22, &b->z);
secp256k1_fe_t z12; secp256k1_fe_sqr(&z12, &a->z); secp256k1_fe_sqr(&z12, &a->z);
secp256k1_fe_t u1; secp256k1_fe_mul(&u1, &a->x, &z22); secp256k1_fe_mul(&u1, &a->x, &z22);
secp256k1_fe_t u2; secp256k1_fe_mul(&u2, &b->x, &z12); secp256k1_fe_mul(&u2, &b->x, &z12);
secp256k1_fe_t s1; secp256k1_fe_mul(&s1, &a->y, &z22); secp256k1_fe_mul(&s1, &s1, &b->z); secp256k1_fe_mul(&s1, &a->y, &z22); secp256k1_fe_mul(&s1, &s1, &b->z);
secp256k1_fe_t s2; secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z); secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z);
secp256k1_fe_t h; secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2); secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2);
secp256k1_fe_t i; secp256k1_fe_negate(&i, &s1, 1); secp256k1_fe_add(&i, &s2); secp256k1_fe_negate(&i, &s1, 1); secp256k1_fe_add(&i, &s2);
if (secp256k1_fe_normalizes_to_zero_var(&h)) { if (secp256k1_fe_normalizes_to_zero_var(&h)) {
if (secp256k1_fe_normalizes_to_zero_var(&i)) { if (secp256k1_fe_normalizes_to_zero_var(&i)) {
secp256k1_gej_double_var(r, a); secp256k1_gej_double_var(r, a);
@ -265,11 +276,11 @@ static void secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a,
} }
return; return;
} }
secp256k1_fe_t i2; secp256k1_fe_sqr(&i2, &i); secp256k1_fe_sqr(&i2, &i);
secp256k1_fe_t h2; secp256k1_fe_sqr(&h2, &h); secp256k1_fe_sqr(&h2, &h);
secp256k1_fe_t h3; secp256k1_fe_mul(&h3, &h, &h2); secp256k1_fe_mul(&h3, &h, &h2);
secp256k1_fe_mul(&r->z, &a->z, &b->z); secp256k1_fe_mul(&r->z, &r->z, &h); secp256k1_fe_mul(&r->z, &a->z, &b->z); secp256k1_fe_mul(&r->z, &r->z, &h);
secp256k1_fe_t t; secp256k1_fe_mul(&t, &u1, &h2); secp256k1_fe_mul(&t, &u1, &h2);
r->x = t; secp256k1_fe_mul_int(&r->x, 2); secp256k1_fe_add(&r->x, &h3); secp256k1_fe_negate(&r->x, &r->x, 3); secp256k1_fe_add(&r->x, &i2); r->x = t; secp256k1_fe_mul_int(&r->x, 2); secp256k1_fe_add(&r->x, &h3); secp256k1_fe_negate(&r->x, &r->x, 3); secp256k1_fe_add(&r->x, &i2);
secp256k1_fe_negate(&r->y, &r->x, 5); secp256k1_fe_add(&r->y, &t); secp256k1_fe_mul(&r->y, &r->y, &i); secp256k1_fe_negate(&r->y, &r->x, 5); secp256k1_fe_add(&r->y, &t); secp256k1_fe_mul(&r->y, &r->y, &i);
secp256k1_fe_mul(&h3, &h3, &s1); secp256k1_fe_negate(&h3, &h3, 1); secp256k1_fe_mul(&h3, &h3, &s1); secp256k1_fe_negate(&h3, &h3, 1);
@ -277,6 +288,7 @@ static void secp256k1_gej_add_var(secp256k1_gej_t *r, const secp256k1_gej_t *a,
} }
static void secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) { static void secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) {
secp256k1_fe_t z12, u1, u2, s1, s2, h, i, i2, h2, h3, t;
if (a->infinity) { if (a->infinity) {
r->infinity = b->infinity; r->infinity = b->infinity;
r->x = b->x; r->x = b->x;
@ -289,13 +301,13 @@ static void secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *
return; return;
} }
r->infinity = 0; r->infinity = 0;
secp256k1_fe_t z12; secp256k1_fe_sqr(&z12, &a->z); secp256k1_fe_sqr(&z12, &a->z);
secp256k1_fe_t u1 = a->x; secp256k1_fe_normalize_weak(&u1); u1 = a->x; secp256k1_fe_normalize_weak(&u1);
secp256k1_fe_t u2; secp256k1_fe_mul(&u2, &b->x, &z12); secp256k1_fe_mul(&u2, &b->x, &z12);
secp256k1_fe_t s1 = a->y; secp256k1_fe_normalize_weak(&s1); s1 = a->y; secp256k1_fe_normalize_weak(&s1);
secp256k1_fe_t s2; secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z); secp256k1_fe_mul(&s2, &b->y, &z12); secp256k1_fe_mul(&s2, &s2, &a->z);
secp256k1_fe_t h; secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2); secp256k1_fe_negate(&h, &u1, 1); secp256k1_fe_add(&h, &u2);
secp256k1_fe_t i; secp256k1_fe_negate(&i, &s1, 1); secp256k1_fe_add(&i, &s2); secp256k1_fe_negate(&i, &s1, 1); secp256k1_fe_add(&i, &s2);
if (secp256k1_fe_normalizes_to_zero_var(&h)) { if (secp256k1_fe_normalizes_to_zero_var(&h)) {
if (secp256k1_fe_normalizes_to_zero_var(&i)) { if (secp256k1_fe_normalizes_to_zero_var(&i)) {
secp256k1_gej_double_var(r, a); secp256k1_gej_double_var(r, a);
@ -304,11 +316,11 @@ static void secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *
} }
return; return;
} }
secp256k1_fe_t i2; secp256k1_fe_sqr(&i2, &i); secp256k1_fe_sqr(&i2, &i);
secp256k1_fe_t h2; secp256k1_fe_sqr(&h2, &h); secp256k1_fe_sqr(&h2, &h);
secp256k1_fe_t h3; secp256k1_fe_mul(&h3, &h, &h2); secp256k1_fe_mul(&h3, &h, &h2);
r->z = a->z; secp256k1_fe_mul(&r->z, &r->z, &h); r->z = a->z; secp256k1_fe_mul(&r->z, &r->z, &h);
secp256k1_fe_t t; secp256k1_fe_mul(&t, &u1, &h2); secp256k1_fe_mul(&t, &u1, &h2);
r->x = t; secp256k1_fe_mul_int(&r->x, 2); secp256k1_fe_add(&r->x, &h3); secp256k1_fe_negate(&r->x, &r->x, 3); secp256k1_fe_add(&r->x, &i2); r->x = t; secp256k1_fe_mul_int(&r->x, 2); secp256k1_fe_add(&r->x, &h3); secp256k1_fe_negate(&r->x, &r->x, 3); secp256k1_fe_add(&r->x, &i2);
secp256k1_fe_negate(&r->y, &r->x, 5); secp256k1_fe_add(&r->y, &t); secp256k1_fe_mul(&r->y, &r->y, &i); secp256k1_fe_negate(&r->y, &r->x, 5); secp256k1_fe_add(&r->y, &t); secp256k1_fe_mul(&r->y, &r->y, &i);
secp256k1_fe_mul(&h3, &h3, &s1); secp256k1_fe_negate(&h3, &h3, 1); secp256k1_fe_mul(&h3, &h3, &s1); secp256k1_fe_negate(&h3, &h3, 1);
@ -316,6 +328,8 @@ static void secp256k1_gej_add_ge_var(secp256k1_gej_t *r, const secp256k1_gej_t *
} }
static void secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) { static void secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, const secp256k1_ge_t *b) {
secp256k1_fe_t zz, u1, u2, s1, s2, z, t, m, n, q, rr;
int infinity;
VERIFY_CHECK(!b->infinity); VERIFY_CHECK(!b->infinity);
VERIFY_CHECK(a->infinity == 0 || a->infinity == 1); VERIFY_CHECK(a->infinity == 0 || a->infinity == 1);
@ -341,24 +355,24 @@ static void secp256k1_gej_add_ge(secp256k1_gej_t *r, const secp256k1_gej_t *a, c
* (Note that the paper uses xi = Xi / Zi and yi = Yi / Zi instead.) * (Note that the paper uses xi = Xi / Zi and yi = Yi / Zi instead.)
*/ */
secp256k1_fe_t zz; secp256k1_fe_sqr(&zz, &a->z); /* z = Z1^2 */ secp256k1_fe_sqr(&zz, &a->z); /* z = Z1^2 */
secp256k1_fe_t u1 = a->x; secp256k1_fe_normalize_weak(&u1); /* u1 = U1 = X1*Z2^2 (1) */ u1 = a->x; secp256k1_fe_normalize_weak(&u1); /* u1 = U1 = X1*Z2^2 (1) */
secp256k1_fe_t u2; secp256k1_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */ secp256k1_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */
secp256k1_fe_t s1 = a->y; secp256k1_fe_normalize_weak(&s1); /* s1 = S1 = Y1*Z2^3 (1) */ s1 = a->y; secp256k1_fe_normalize_weak(&s1); /* s1 = S1 = Y1*Z2^3 (1) */
secp256k1_fe_t s2; secp256k1_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z2^2 (1) */ secp256k1_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z2^2 (1) */
secp256k1_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */ secp256k1_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */
secp256k1_fe_t z = a->z; /* z = Z = Z1*Z2 (8) */ z = a->z; /* z = Z = Z1*Z2 (8) */
secp256k1_fe_t t = u1; secp256k1_fe_add(&t, &u2); /* t = T = U1+U2 (2) */ t = u1; secp256k1_fe_add(&t, &u2); /* t = T = U1+U2 (2) */
secp256k1_fe_t m = s1; secp256k1_fe_add(&m, &s2); /* m = M = S1+S2 (2) */ m = s1; secp256k1_fe_add(&m, &s2); /* m = M = S1+S2 (2) */
secp256k1_fe_t n; secp256k1_fe_sqr(&n, &m); /* n = M^2 (1) */ secp256k1_fe_sqr(&n, &m); /* n = M^2 (1) */
secp256k1_fe_t q; secp256k1_fe_mul(&q, &n, &t); /* q = Q = T*M^2 (1) */ secp256k1_fe_mul(&q, &n, &t); /* q = Q = T*M^2 (1) */
secp256k1_fe_sqr(&n, &n); /* n = M^4 (1) */ secp256k1_fe_sqr(&n, &n); /* n = M^4 (1) */
secp256k1_fe_t rr; secp256k1_fe_sqr(&rr, &t); /* rr = T^2 (1) */ secp256k1_fe_sqr(&rr, &t); /* rr = T^2 (1) */
secp256k1_fe_mul(&t, &u1, &u2); secp256k1_fe_negate(&t, &t, 1); /* t = -U1*U2 (2) */ secp256k1_fe_mul(&t, &u1, &u2); secp256k1_fe_negate(&t, &t, 1); /* t = -U1*U2 (2) */
secp256k1_fe_add(&rr, &t); /* rr = R = T^2-U1*U2 (3) */ secp256k1_fe_add(&rr, &t); /* rr = R = T^2-U1*U2 (3) */
secp256k1_fe_sqr(&t, &rr); /* t = R^2 (1) */ secp256k1_fe_sqr(&t, &rr); /* t = R^2 (1) */
secp256k1_fe_mul(&r->z, &m, &z); /* r->z = M*Z (1) */ secp256k1_fe_mul(&r->z, &m, &z); /* r->z = M*Z (1) */
int infinity = secp256k1_fe_normalizes_to_zero(&r->z) * (1 - a->infinity); infinity = secp256k1_fe_normalizes_to_zero(&r->z) * (1 - a->infinity);
secp256k1_fe_mul_int(&r->z, 2 * (1 - a->infinity)); /* r->z = Z3 = 2*M*Z (2) */ secp256k1_fe_mul_int(&r->z, 2 * (1 - a->infinity)); /* r->z = Z3 = 2*M*Z (2) */
r->x = t; /* r->x = R^2 (1) */ r->x = t; /* r->x = R^2 (1) */
secp256k1_fe_negate(&q, &q, 1); /* q = -Q (2) */ secp256k1_fe_negate(&q, &q, 1); /* q = -Q (2) */

View file

@ -80,9 +80,9 @@ static void secp256k1_scalar_order_get_num(secp256k1_num_t *r);
/** Compare two scalars. */ /** Compare two scalars. */
static int secp256k1_scalar_eq(const secp256k1_scalar_t *a, const secp256k1_scalar_t *b); static int secp256k1_scalar_eq(const secp256k1_scalar_t *a, const secp256k1_scalar_t *b);
static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a);
#ifdef USE_ENDOMORPHISM #ifdef USE_ENDOMORPHISM
/** Find r1 and r2 such that r1+r2*2^128 = a. */
static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a);
/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see secp256k1_gej_mul_lambda). */ /** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see secp256k1_gej_mul_lambda). */
static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a); static void secp256k1_scalar_split_lambda_var(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a);
#endif #endif

View file

@ -630,6 +630,7 @@ static void secp256k1_scalar_sqr(secp256k1_scalar_t *r, const secp256k1_scalar_t
secp256k1_scalar_reduce_512(r, l); secp256k1_scalar_reduce_512(r, l);
} }
#ifdef USE_ENDOMORPHISM
static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) { static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_t *r2, const secp256k1_scalar_t *a) {
r1->d[0] = a->d[0]; r1->d[0] = a->d[0];
r1->d[1] = a->d[1]; r1->d[1] = a->d[1];
@ -648,6 +649,7 @@ static void secp256k1_scalar_split_128(secp256k1_scalar_t *r1, secp256k1_scalar_
r2->d[6] = 0; r2->d[6] = 0;
r2->d[7] = 0; r2->d[7] = 0;
} }
#endif
SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar_t *a, const secp256k1_scalar_t *b) { SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar_t *a, const secp256k1_scalar_t *b) {
return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3]) | (a->d[4] ^ b->d[4]) | (a->d[5] ^ b->d[5]) | (a->d[6] ^ b->d[6]) | (a->d[7] ^ b->d[7])) == 0; return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3]) | (a->d[4] ^ b->d[4]) | (a->d[5] ^ b->d[5]) | (a->d[6] ^ b->d[6]) | (a->d[7] ^ b->d[7])) == 0;

View file

@ -34,15 +34,15 @@ void secp256k1_stop(void) {
} }
int secp256k1_ecdsa_verify(const unsigned char *msg32, const unsigned char *sig, int siglen, const unsigned char *pubkey, int pubkeylen) { int secp256k1_ecdsa_verify(const unsigned char *msg32, const unsigned char *sig, int siglen, const unsigned char *pubkey, int pubkeylen) {
secp256k1_ge_t q;
secp256k1_ecdsa_sig_t s;
secp256k1_scalar_t m;
int ret = -3;
DEBUG_CHECK(secp256k1_ecmult_consts != NULL); DEBUG_CHECK(secp256k1_ecmult_consts != NULL);
DEBUG_CHECK(msg32 != NULL); DEBUG_CHECK(msg32 != NULL);
DEBUG_CHECK(sig != NULL); DEBUG_CHECK(sig != NULL);
DEBUG_CHECK(pubkey != NULL); DEBUG_CHECK(pubkey != NULL);
int ret = -3;
secp256k1_scalar_t m;
secp256k1_ecdsa_sig_t s;
secp256k1_ge_t q;
secp256k1_scalar_set_b32(&m, msg32, NULL); secp256k1_scalar_set_b32(&m, msg32, NULL);
if (!secp256k1_eckey_pubkey_parse(&q, pubkey, pubkeylen)) { if (!secp256k1_eckey_pubkey_parse(&q, pubkey, pubkeylen)) {
@ -63,10 +63,11 @@ end:
} }
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) { static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
(void)data;
secp256k1_rfc6979_hmac_sha256_t rng; secp256k1_rfc6979_hmac_sha256_t rng;
unsigned int i;
(void)data;
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key32, 32, msg32, 32); secp256k1_rfc6979_hmac_sha256_initialize(&rng, key32, 32, msg32, 32);
for (unsigned int i = 0; i <= counter; i++) { for (i = 0; i <= counter; i++) {
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
} }
secp256k1_rfc6979_hmac_sha256_finalize(&rng); secp256k1_rfc6979_hmac_sha256_finalize(&rng);
@ -77,6 +78,11 @@ const secp256k1_nonce_function_t secp256k1_nonce_function_rfc6979 = nonce_functi
const secp256k1_nonce_function_t secp256k1_nonce_function_default = nonce_function_rfc6979; const secp256k1_nonce_function_t secp256k1_nonce_function_default = nonce_function_rfc6979;
int secp256k1_ecdsa_sign(const unsigned char *msg32, unsigned char *signature, int *signaturelen, const unsigned char *seckey, secp256k1_nonce_function_t noncefp, const void* noncedata) { int secp256k1_ecdsa_sign(const unsigned char *msg32, unsigned char *signature, int *signaturelen, const unsigned char *seckey, secp256k1_nonce_function_t noncefp, const void* noncedata) {
secp256k1_ecdsa_sig_t sig;
secp256k1_scalar_t sec, non, msg;
int ret = 0;
int overflow = 0;
unsigned int count = 0;
DEBUG_CHECK(secp256k1_ecmult_gen_consts != NULL); DEBUG_CHECK(secp256k1_ecmult_gen_consts != NULL);
DEBUG_CHECK(msg32 != NULL); DEBUG_CHECK(msg32 != NULL);
DEBUG_CHECK(signature != NULL); DEBUG_CHECK(signature != NULL);
@ -86,13 +92,8 @@ int secp256k1_ecdsa_sign(const unsigned char *msg32, unsigned char *signature, i
noncefp = secp256k1_nonce_function_default; noncefp = secp256k1_nonce_function_default;
} }
secp256k1_scalar_t sec, non, msg;
secp256k1_scalar_set_b32(&sec, seckey, NULL); secp256k1_scalar_set_b32(&sec, seckey, NULL);
secp256k1_scalar_set_b32(&msg, msg32, NULL); secp256k1_scalar_set_b32(&msg, msg32, NULL);
int overflow = 0;
int ret = 0;
unsigned int count = 0;
secp256k1_ecdsa_sig_t sig;
while (1) { while (1) {
unsigned char nonce32[32]; unsigned char nonce32[32];
ret = noncefp(nonce32, msg32, seckey, count, noncedata); ret = noncefp(nonce32, msg32, seckey, count, noncedata);
@ -118,6 +119,11 @@ int secp256k1_ecdsa_sign(const unsigned char *msg32, unsigned char *signature, i
} }
int secp256k1_ecdsa_sign_compact(const unsigned char *msg32, unsigned char *sig64, const unsigned char *seckey, secp256k1_nonce_function_t noncefp, const void* noncedata, int *recid) { int secp256k1_ecdsa_sign_compact(const unsigned char *msg32, unsigned char *sig64, const unsigned char *seckey, secp256k1_nonce_function_t noncefp, const void* noncedata, int *recid) {
secp256k1_ecdsa_sig_t sig;
secp256k1_scalar_t sec, non, msg;
int ret = 0;
int overflow = 0;
unsigned int count = 0;
DEBUG_CHECK(secp256k1_ecmult_gen_consts != NULL); DEBUG_CHECK(secp256k1_ecmult_gen_consts != NULL);
DEBUG_CHECK(msg32 != NULL); DEBUG_CHECK(msg32 != NULL);
DEBUG_CHECK(sig64 != NULL); DEBUG_CHECK(sig64 != NULL);
@ -126,13 +132,8 @@ int secp256k1_ecdsa_sign_compact(const unsigned char *msg32, unsigned char *sig6
noncefp = secp256k1_nonce_function_default; noncefp = secp256k1_nonce_function_default;
} }
secp256k1_scalar_t sec, non, msg;
secp256k1_scalar_set_b32(&sec, seckey, NULL); secp256k1_scalar_set_b32(&sec, seckey, NULL);
secp256k1_scalar_set_b32(&msg, msg32, NULL); secp256k1_scalar_set_b32(&msg, msg32, NULL);
int overflow = 0;
int ret = 0;
unsigned int count = 0;
secp256k1_ecdsa_sig_t sig;
while (1) { while (1) {
unsigned char nonce32[32]; unsigned char nonce32[32];
ret = noncefp(nonce32, msg32, seckey, count, noncedata); ret = noncefp(nonce32, msg32, seckey, count, noncedata);
@ -159,6 +160,11 @@ int secp256k1_ecdsa_sign_compact(const unsigned char *msg32, unsigned char *sig6
} }
int secp256k1_ecdsa_recover_compact(const unsigned char *msg32, const unsigned char *sig64, unsigned char *pubkey, int *pubkeylen, int compressed, int recid) { int secp256k1_ecdsa_recover_compact(const unsigned char *msg32, const unsigned char *sig64, unsigned char *pubkey, int *pubkeylen, int compressed, int recid) {
secp256k1_ge_t q;
secp256k1_ecdsa_sig_t sig;
secp256k1_scalar_t m;
int ret = 0;
int overflow = 0;
DEBUG_CHECK(secp256k1_ecmult_consts != NULL); DEBUG_CHECK(secp256k1_ecmult_consts != NULL);
DEBUG_CHECK(msg32 != NULL); DEBUG_CHECK(msg32 != NULL);
DEBUG_CHECK(sig64 != NULL); DEBUG_CHECK(sig64 != NULL);
@ -166,10 +172,6 @@ int secp256k1_ecdsa_recover_compact(const unsigned char *msg32, const unsigned c
DEBUG_CHECK(pubkeylen != NULL); DEBUG_CHECK(pubkeylen != NULL);
DEBUG_CHECK(recid >= 0 && recid <= 3); DEBUG_CHECK(recid >= 0 && recid <= 3);
int ret = 0;
secp256k1_scalar_t m;
secp256k1_ecdsa_sig_t sig;
int overflow = 0;
secp256k1_scalar_set_b32(&sig.r, sig64, &overflow); secp256k1_scalar_set_b32(&sig.r, sig64, &overflow);
if (overflow) { if (overflow) {
return 0; return 0;
@ -180,7 +182,6 @@ int secp256k1_ecdsa_recover_compact(const unsigned char *msg32, const unsigned c
} }
secp256k1_scalar_set_b32(&m, msg32, NULL); secp256k1_scalar_set_b32(&m, msg32, NULL);
secp256k1_ge_t q;
if (secp256k1_ecdsa_sig_recover(&sig, &q, &m, recid)) { if (secp256k1_ecdsa_sig_recover(&sig, &q, &m, recid)) {
ret = secp256k1_eckey_pubkey_serialize(&q, pubkey, pubkeylen, compressed); ret = secp256k1_eckey_pubkey_serialize(&q, pubkey, pubkeylen, compressed);
} }
@ -188,60 +189,62 @@ int secp256k1_ecdsa_recover_compact(const unsigned char *msg32, const unsigned c
} }
int secp256k1_ec_seckey_verify(const unsigned char *seckey) { int secp256k1_ec_seckey_verify(const unsigned char *seckey) {
secp256k1_scalar_t sec;
int ret;
int overflow;
DEBUG_CHECK(seckey != NULL); DEBUG_CHECK(seckey != NULL);
secp256k1_scalar_t sec;
int overflow;
secp256k1_scalar_set_b32(&sec, seckey, &overflow); secp256k1_scalar_set_b32(&sec, seckey, &overflow);
int ret = !secp256k1_scalar_is_zero(&sec) && !overflow; ret = !secp256k1_scalar_is_zero(&sec) && !overflow;
secp256k1_scalar_clear(&sec); secp256k1_scalar_clear(&sec);
return ret; return ret;
} }
int secp256k1_ec_pubkey_verify(const unsigned char *pubkey, int pubkeylen) { int secp256k1_ec_pubkey_verify(const unsigned char *pubkey, int pubkeylen) {
secp256k1_ge_t q;
DEBUG_CHECK(pubkey != NULL); DEBUG_CHECK(pubkey != NULL);
secp256k1_ge_t q;
return secp256k1_eckey_pubkey_parse(&q, pubkey, pubkeylen); return secp256k1_eckey_pubkey_parse(&q, pubkey, pubkeylen);
} }
int secp256k1_ec_pubkey_create(unsigned char *pubkey, int *pubkeylen, const unsigned char *seckey, int compressed) { int secp256k1_ec_pubkey_create(unsigned char *pubkey, int *pubkeylen, const unsigned char *seckey, int compressed) {
secp256k1_gej_t pj;
secp256k1_ge_t p;
secp256k1_scalar_t sec;
DEBUG_CHECK(secp256k1_ecmult_gen_consts != NULL); DEBUG_CHECK(secp256k1_ecmult_gen_consts != NULL);
DEBUG_CHECK(pubkey != NULL); DEBUG_CHECK(pubkey != NULL);
DEBUG_CHECK(pubkeylen != NULL); DEBUG_CHECK(pubkeylen != NULL);
DEBUG_CHECK(seckey != NULL); DEBUG_CHECK(seckey != NULL);
secp256k1_scalar_t sec;
secp256k1_scalar_set_b32(&sec, seckey, NULL); secp256k1_scalar_set_b32(&sec, seckey, NULL);
secp256k1_gej_t pj;
secp256k1_ecmult_gen(&pj, &sec); secp256k1_ecmult_gen(&pj, &sec);
secp256k1_scalar_clear(&sec); secp256k1_scalar_clear(&sec);
secp256k1_ge_t p;
secp256k1_ge_set_gej(&p, &pj); secp256k1_ge_set_gej(&p, &pj);
return secp256k1_eckey_pubkey_serialize(&p, pubkey, pubkeylen, compressed); return secp256k1_eckey_pubkey_serialize(&p, pubkey, pubkeylen, compressed);
} }
int secp256k1_ec_pubkey_decompress(unsigned char *pubkey, int *pubkeylen) { int secp256k1_ec_pubkey_decompress(unsigned char *pubkey, int *pubkeylen) {
secp256k1_ge_t p;
DEBUG_CHECK(pubkey != NULL); DEBUG_CHECK(pubkey != NULL);
DEBUG_CHECK(pubkeylen != NULL); DEBUG_CHECK(pubkeylen != NULL);
secp256k1_ge_t p;
if (!secp256k1_eckey_pubkey_parse(&p, pubkey, *pubkeylen)) if (!secp256k1_eckey_pubkey_parse(&p, pubkey, *pubkeylen))
return 0; return 0;
return secp256k1_eckey_pubkey_serialize(&p, pubkey, pubkeylen, 0); return secp256k1_eckey_pubkey_serialize(&p, pubkey, pubkeylen, 0);
} }
int secp256k1_ec_privkey_tweak_add(unsigned char *seckey, const unsigned char *tweak) { int secp256k1_ec_privkey_tweak_add(unsigned char *seckey, const unsigned char *tweak) {
secp256k1_scalar_t term;
secp256k1_scalar_t sec;
int ret;
int overflow = 0;
DEBUG_CHECK(seckey != NULL); DEBUG_CHECK(seckey != NULL);
DEBUG_CHECK(tweak != NULL); DEBUG_CHECK(tweak != NULL);
secp256k1_scalar_t term;
int overflow = 0;
secp256k1_scalar_set_b32(&term, tweak, &overflow); secp256k1_scalar_set_b32(&term, tweak, &overflow);
secp256k1_scalar_t sec;
secp256k1_scalar_set_b32(&sec, seckey, NULL); secp256k1_scalar_set_b32(&sec, seckey, NULL);
int ret = secp256k1_eckey_privkey_tweak_add(&sec, &term) && !overflow; ret = secp256k1_eckey_privkey_tweak_add(&sec, &term) && !overflow;
if (ret) { if (ret) {
secp256k1_scalar_get_b32(seckey, &sec); secp256k1_scalar_get_b32(seckey, &sec);
} }
@ -252,18 +255,19 @@ int secp256k1_ec_privkey_tweak_add(unsigned char *seckey, const unsigned char *t
} }
int secp256k1_ec_pubkey_tweak_add(unsigned char *pubkey, int pubkeylen, const unsigned char *tweak) { int secp256k1_ec_pubkey_tweak_add(unsigned char *pubkey, int pubkeylen, const unsigned char *tweak) {
secp256k1_ge_t p;
secp256k1_scalar_t term;
int ret;
int overflow = 0;
DEBUG_CHECK(secp256k1_ecmult_consts != NULL); DEBUG_CHECK(secp256k1_ecmult_consts != NULL);
DEBUG_CHECK(pubkey != NULL); DEBUG_CHECK(pubkey != NULL);
DEBUG_CHECK(tweak != NULL); DEBUG_CHECK(tweak != NULL);
secp256k1_scalar_t term;
int overflow = 0;
secp256k1_scalar_set_b32(&term, tweak, &overflow); secp256k1_scalar_set_b32(&term, tweak, &overflow);
if (overflow) { if (overflow) {
return 0; return 0;
} }
secp256k1_ge_t p; ret = secp256k1_eckey_pubkey_parse(&p, pubkey, pubkeylen);
int ret = secp256k1_eckey_pubkey_parse(&p, pubkey, pubkeylen);
if (ret) { if (ret) {
ret = secp256k1_eckey_pubkey_tweak_add(&p, &term); ret = secp256k1_eckey_pubkey_tweak_add(&p, &term);
} }
@ -277,15 +281,16 @@ int secp256k1_ec_pubkey_tweak_add(unsigned char *pubkey, int pubkeylen, const un
} }
int secp256k1_ec_privkey_tweak_mul(unsigned char *seckey, const unsigned char *tweak) { int secp256k1_ec_privkey_tweak_mul(unsigned char *seckey, const unsigned char *tweak) {
secp256k1_scalar_t factor;
secp256k1_scalar_t sec;
int ret;
int overflow = 0;
DEBUG_CHECK(seckey != NULL); DEBUG_CHECK(seckey != NULL);
DEBUG_CHECK(tweak != NULL); DEBUG_CHECK(tweak != NULL);
secp256k1_scalar_t factor;
int overflow = 0;
secp256k1_scalar_set_b32(&factor, tweak, &overflow); secp256k1_scalar_set_b32(&factor, tweak, &overflow);
secp256k1_scalar_t sec;
secp256k1_scalar_set_b32(&sec, seckey, NULL); secp256k1_scalar_set_b32(&sec, seckey, NULL);
int ret = secp256k1_eckey_privkey_tweak_mul(&sec, &factor) && !overflow; ret = secp256k1_eckey_privkey_tweak_mul(&sec, &factor) && !overflow;
if (ret) { if (ret) {
secp256k1_scalar_get_b32(seckey, &sec); secp256k1_scalar_get_b32(seckey, &sec);
} }
@ -296,18 +301,19 @@ int secp256k1_ec_privkey_tweak_mul(unsigned char *seckey, const unsigned char *t
} }
int secp256k1_ec_pubkey_tweak_mul(unsigned char *pubkey, int pubkeylen, const unsigned char *tweak) { int secp256k1_ec_pubkey_tweak_mul(unsigned char *pubkey, int pubkeylen, const unsigned char *tweak) {
secp256k1_ge_t p;
secp256k1_scalar_t factor;
int ret;
int overflow = 0;
DEBUG_CHECK(secp256k1_ecmult_consts != NULL); DEBUG_CHECK(secp256k1_ecmult_consts != NULL);
DEBUG_CHECK(pubkey != NULL); DEBUG_CHECK(pubkey != NULL);
DEBUG_CHECK(tweak != NULL); DEBUG_CHECK(tweak != NULL);
secp256k1_scalar_t factor;
int overflow = 0;
secp256k1_scalar_set_b32(&factor, tweak, &overflow); secp256k1_scalar_set_b32(&factor, tweak, &overflow);
if (overflow) { if (overflow) {
return 0; return 0;
} }
secp256k1_ge_t p; ret = secp256k1_eckey_pubkey_parse(&p, pubkey, pubkeylen);
int ret = secp256k1_eckey_pubkey_parse(&p, pubkey, pubkeylen);
if (ret) { if (ret) {
ret = secp256k1_eckey_pubkey_tweak_mul(&p, &factor); ret = secp256k1_eckey_pubkey_tweak_mul(&p, &factor);
} }
@ -321,23 +327,25 @@ int secp256k1_ec_pubkey_tweak_mul(unsigned char *pubkey, int pubkeylen, const un
} }
int secp256k1_ec_privkey_export(const unsigned char *seckey, unsigned char *privkey, int *privkeylen, int compressed) { int secp256k1_ec_privkey_export(const unsigned char *seckey, unsigned char *privkey, int *privkeylen, int compressed) {
secp256k1_scalar_t key;
int ret;
DEBUG_CHECK(seckey != NULL); DEBUG_CHECK(seckey != NULL);
DEBUG_CHECK(privkey != NULL); DEBUG_CHECK(privkey != NULL);
DEBUG_CHECK(privkeylen != NULL); DEBUG_CHECK(privkeylen != NULL);
secp256k1_scalar_t key;
secp256k1_scalar_set_b32(&key, seckey, NULL); secp256k1_scalar_set_b32(&key, seckey, NULL);
int ret = secp256k1_eckey_privkey_serialize(privkey, privkeylen, &key, compressed); ret = secp256k1_eckey_privkey_serialize(privkey, privkeylen, &key, compressed);
secp256k1_scalar_clear(&key); secp256k1_scalar_clear(&key);
return ret; return ret;
} }
int secp256k1_ec_privkey_import(unsigned char *seckey, const unsigned char *privkey, int privkeylen) { int secp256k1_ec_privkey_import(unsigned char *seckey, const unsigned char *privkey, int privkeylen) {
secp256k1_scalar_t key;
int ret;
DEBUG_CHECK(seckey != NULL); DEBUG_CHECK(seckey != NULL);
DEBUG_CHECK(privkey != NULL); DEBUG_CHECK(privkey != NULL);
secp256k1_scalar_t key; ret = secp256k1_eckey_privkey_parse(&key, privkey, privkeylen);
int ret = secp256k1_eckey_privkey_parse(&key, privkey, privkeylen);
if (ret) if (ret)
secp256k1_scalar_get_b32(seckey, &key); secp256k1_scalar_get_b32(seckey, &key);
secp256k1_scalar_clear(&key); secp256k1_scalar_clear(&key);

View file

@ -1741,7 +1741,7 @@ int main(int argc, char **argv) {
/* find random seed */ /* find random seed */
if (argc > 2) { if (argc > 2) {
seed = strtoull(argv[2], NULL, 0); sscanf(argv[2], "%" I64uFORMAT, (unsigned long long*)&seed);
} else { } else {
FILE *frand = fopen("/dev/urandom", "r"); FILE *frand = fopen("/dev/urandom", "r");
if (!frand || !fread(&seed, sizeof(seed), 1, frand)) { if (!frand || !fread(&seed, sizeof(seed), 1, frand)) {
@ -1752,7 +1752,7 @@ int main(int argc, char **argv) {
secp256k1_rand_seed(seed); secp256k1_rand_seed(seed);
printf("test count = %i\n", count); printf("test count = %i\n", count);
printf("random seed = %llu\n", (unsigned long long)seed); printf("random seed = %" I64uFORMAT "\n", (unsigned long long)seed);
/* initialize */ /* initialize */
secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY); secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);

View file

@ -84,8 +84,21 @@ static SECP256K1_INLINE void *checked_malloc(size_t size) {
# endif # endif
#endif #endif
#if defined(_WIN32)
# define I64FORMAT "I64d"
# define I64uFORMAT "I64u"
#else
# define I64FORMAT "lld"
# define I64uFORMAT "llu"
#endif
#if defined(HAVE___INT128) #if defined(HAVE___INT128)
typedef unsigned __int128 uint128_t; # if defined(__GNUC__)
# define SECP256K1_GNUC_EXT __extension__
# else
# define SECP256K1_GNUC_EXT
# endif
SECP256K1_GNUC_EXT typedef unsigned __int128 uint128_t;
#endif #endif
#endif #endif